[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] openVPN through Cisco firewall!

  • Subject: Re: [Openvpn-users] openVPN through Cisco firewall!
  • From: "Peter Njiiri" <pnjiiri@xxxxxxxxx>
  • Date: Sat, 07 Jul 2007 12:12:00 +0400

Again thanks for the feedback. Yes,you are correct with the interpretation of the network. The software I'm installing (LDAP client) that needs no NAT requires that the destination IP be This is because the openVPN is running the LDAP server listening on eth0, So in this scenarios should I
1. use the destination IP as the VPN IP, i.e as it seems using doesn't works as the communication back from the LDAP server is going through NAT.
2. Is the address bound to the eth0 IP thus use it as the destination IP??
3. I tried ethernet bridging but it didn't work
Please note that the remote IP the VPN client is referencing is configured on a switch behind the firewall which maps the internal nic to external access. Is this a problem?
I did a traceroute from the remote client ( to the openVPN internal nic ( and it shows only one hop to the destination (the hop is the destination address whereas a traceroute from to shows three hops (hops through firewall,remote router then remote destination). When I ping from, I can see tcpdump activity on tun0 on the openVPNserver but if I ping from I DO NOT see tcpdump activity on tun0 on the client, it's received on eth1 on the client interface. Why is happening???Have a great day!

>>> Erich Titl <erich.titl@xxxxxxxx> 05/07/2007 23:38 >>>
Peter Njiiri schrieb:
> Hi
> Thanks for the feedback. I need to bypass the firewall as it's blocking
> the traffic (I think) (as no packets are received on the tun interface
> of the remote server when I ping the from

You will not see packets on the tun interface with this kind of traffic,
this is _not_ tunneled traffic.

If I
> try to force the internal traffic by adding a route for the internal
> network, i.e through the tunnel, ping doesn't work. Yes the
> tunnel is up with no errors,Initialization Sequence is done. Yes from
>, I can ping successfully to (tun interface of the
> remote server) from and vice versa (when I ping
> from

Let's see, is the tunnel endpoint on your server, right?

As said, I want to communicate from the
> to the remote server ( without passing through
> NAT (firewall) because the software I'm installing on the remote server
> requires no NAT communication.

In reality you want to communicate with 10.8.0.x , else you won't be
going through the tunnel.

Is there a way that this can be done???
> Which IP should I assign the software so that it communicates through
> the tunnel, the physical nic or the virtual tun one???Maybe it's the
> concept I'm missing??

Let's see, the software you want to access lives on the client. You want
to access it through the tunnel, hence you will have to access it
through a tunnel address, which, in your case, appears to be on the network

If I interprete your situation correctly it is something like

OpenVPN server
ip ..... tunnel address
the big bad cisco protected net we don't care abaout as long as the
tunnel comes up
ip ..... tunnel address (probably)
OpenVPN client

So in this case your traffic fron the server to the client will go to, you just don't care what network you are tunneling through as
long as there is no address conflict. If the tunnel traffic is nated
once or twenty five times it does not affect the tunneled traffic