2 NIC's, 2 VLAN Access Ports, No Connection
We have a network with mulitple vlans, 2 of which are of importance here (vlan 10 with 10.1.1.0/24 and vlan 11 with 10.137.1.0/24).
We have a Windows XP box acting as a server, from a 3rd party vendor.
Previously the machine had one NIC assigned with 10.137.1.100, connected to 10.137.1.0/24, which connects to an access port for vlan 11 on a Cisco Catalyst 2960. Access works fine here, and routing is setup so that vlan 10 and vlan 11 can access each other through an ASA 5505 Security Plus appliance.
One of our remote sites utilizes a Linksys RV042 as a VPN endpoint, and they need access to both vlan 10 and this single host on vlan 11. The RV042 can only tunnel one subnet at a time, so it's tunneled to the vlan 10 subnet.
Our idea, sans installing an ASA at this remote site to tunnel multiple subnets, is to install another NIC on this host with an IP address on the vlan 10 subnet. So one NIC would have 10.137.1.100 with a gateway of 10.137.1.1 and is connected to a vlan 11 access port, and the other NIC would have 10.1.1.100 with a gateway of 10.1.1.1 and is connected to a vlan 10 access port.
When I enable both network adapters, neither are accessible on their respective networks, and attempting to access other hosts on the respective networks from the server times out as well.
Is this setup a problem since routing at the ASA allows vlan 10 and vlan 11 to communicate, and return packets are getting lost in a loop? I would think if this is the case that packet response would be intermittent, instead of not at all.
Any ideas here?
We have a Windows XP box acting as a server, from a 3rd party vendor.
Previously the machine had one NIC assigned with 10.137.1.100, connected to 10.137.1.0/24, which connects to an access port for vlan 11 on a Cisco Catalyst 2960. Access works fine here, and routing is setup so that vlan 10 and vlan 11 can access each other through an ASA 5505 Security Plus appliance.
One of our remote sites utilizes a Linksys RV042 as a VPN endpoint, and they need access to both vlan 10 and this single host on vlan 11. The RV042 can only tunnel one subnet at a time, so it's tunneled to the vlan 10 subnet.
Our idea, sans installing an ASA at this remote site to tunnel multiple subnets, is to install another NIC on this host with an IP address on the vlan 10 subnet. So one NIC would have 10.137.1.100 with a gateway of 10.137.1.1 and is connected to a vlan 11 access port, and the other NIC would have 10.1.1.100 with a gateway of 10.1.1.1 and is connected to a vlan 10 access port.
When I enable both network adapters, neither are accessible on their respective networks, and attempting to access other hosts on the respective networks from the server times out as well.
Is this setup a problem since routing at the ASA allows vlan 10 and vlan 11 to communicate, and return packets are getting lost in a loop? I would think if this is the case that packet response would be intermittent, instead of not at all.
Any ideas here?
John Meggers
So when the server is dual-homed you want to access it through the VPN over the 10.1.1. subnet since that's encrypted to and from the remote site? I'm guessing the remote location is unknown to the server. What does the server think is its default gateway? It may be confused if it has two default gateways.
Only 1 of the NICs in the XP "server" should have a default gateway, the other should have no default gateway value. That means that only other nodes on the same subnet will access the XP machine via this NIC but traffic bound for other subnets will access it via the primary NIC.
ASKER
jmeggers -
We are not testing yet over the VPN connection, just from the local subnets corresponding to those NIC's.
mlongoh -
Probably won't work then, as the reason for (2) NICS with (2) default gateways is because the 3rd party vendor uses a separate VPN tunnel to talk with this host (the original NIC), and has a conflicting subnet with our 10.1.1.0/24 subnet... otherwise they'd all be on the same subnet. Re-addressing on either side is not an option. Therefore one VPN tunnel needs access to the host listening on 10.1.1.0/24 and the other VPN tunnel needs access to the host listening on 10.137.1.0/24. Dual-homing a single NIC is not an option either, due to utilizing VLAN access ports.
I was hoping to accomplish something with static routes on this XP box, but may just need to go the ASA route at this remote site so we can tunnel multiple subnets.
We are not testing yet over the VPN connection, just from the local subnets corresponding to those NIC's.
mlongoh -
Probably won't work then, as the reason for (2) NICS with (2) default gateways is because the 3rd party vendor uses a separate VPN tunnel to talk with this host (the original NIC), and has a conflicting subnet with our 10.1.1.0/24 subnet... otherwise they'd all be on the same subnet. Re-addressing on either side is not an option. Therefore one VPN tunnel needs access to the host listening on 10.1.1.0/24 and the other VPN tunnel needs access to the host listening on 10.137.1.0/24. Dual-homing a single NIC is not an option either, due to utilizing VLAN access ports.
I was hoping to accomplish something with static routes on this XP box, but may just need to go the ASA route at this remote site so we can tunnel multiple subnets.
Have you considered creating a DMZ style VLAN and create a NAT to the PC that the third party vendor can use to access the XP box? Then the box could sit on 10.1.1.0 subnet, your remote site would be able to access it, and the vendor could get to it via an alternate (non-conflicting) address.
ASKER
There is more than one host on this network, so I'm not sure that would be the best route. VPN tunnels also need to be established due to constant database replication among the sites.
Sorry I guess I'm not seeing the whole picture - I thought the XP host was on VLAN11 because the third party vendor needs to access the box and can't access VLAN10 because they're using the same subnet addressing on their end. But your remote site needs to access the box via their VPN tunnel and they can access VLAN10 but not VLAN11. Is it that the third party vendor needs to access other hosts on VLAN11 as well?
Also, I'm assuming that the ASA is your router and you VPN solution, which is why VPN traffic is not getting routed between internal subnets?
Also, I'm assuming that the ASA is your router and you VPN solution, which is why VPN traffic is not getting routed between internal subnets?
ASKER
Pretty close.
VLAN10 is our main office network and VLAN11 hosts mulitple hosts (~10) that need to be accessible via VPN from the 3rd party vendor (REMOTE 1). We have our own remote site (REMOTE 2) that has an existing VPN tunnel to VLAN10, but needs to access only this single host on VLAN11. Internal routing between VLAN10 and VLAN11 work fine, but VLAN11 is inaccessible from REMOTE 2 because the RV042 can only tunnel one remote subnet at a time.
If there is another way to access this single host on VLAN11 from REMOTE 2, that is great. Due to the setup, there always seems to be something that prevents any solution (other than installing an ASA at REMOTE 2) from completely working. I asked the question previously if there was a way to setup some sort of static route from REMOTE 2 to access the host on VLAN11 from the existing tunnel to VLAN10, since REMOTE 2 can access VLAN10, and VLAN10 can access VLAN11; seems plausible, but I have not gotten it to work and received no solutions to that question.
For reference to that question: https://www.experts-exchange.com/questions/26473913/Cisco-ASA-and-Linksys-RV042-VLAN-Multiple-Subents.html
The ASA is acting as a router on a stick and is the VPN endpoint.
VLAN10 is our main office network and VLAN11 hosts mulitple hosts (~10) that need to be accessible via VPN from the 3rd party vendor (REMOTE 1). We have our own remote site (REMOTE 2) that has an existing VPN tunnel to VLAN10, but needs to access only this single host on VLAN11. Internal routing between VLAN10 and VLAN11 work fine, but VLAN11 is inaccessible from REMOTE 2 because the RV042 can only tunnel one remote subnet at a time.
If there is another way to access this single host on VLAN11 from REMOTE 2, that is great. Due to the setup, there always seems to be something that prevents any solution (other than installing an ASA at REMOTE 2) from completely working. I asked the question previously if there was a way to setup some sort of static route from REMOTE 2 to access the host on VLAN11 from the existing tunnel to VLAN10, since REMOTE 2 can access VLAN10, and VLAN10 can access VLAN11; seems plausible, but I have not gotten it to work and received no solutions to that question.
For reference to that question: https://www.experts-exchange.com/questions/26473913/Cisco-ASA-and-Linksys-RV042-VLAN-Multiple-Subents.html
The ASA is acting as a router on a stick and is the VPN endpoint.
I would expect that REMOTE2 should be able to access the hosts on VLAN11 via routing in the ASA. I'm guessing that the routing table in the ASA needs to be updated to allow traffic destined for REMOTE2's subnet to get directed to the correct interface.
Traditionally Cisco routers that handle VPN traffic as well won't route traffic in and out through the same interface. For example, if your router is the only access to the internet, a remote user with a VPN connection wouldn't be able to access the Internet through the VPN tunnel because the route would require forwarding the packets back out the interface that it comes in on.
However, in your case, you presumably have 2 internal VLANs and an Internet facing interface. So, there should be no reason why your REMOTE2 users can't access that XP machine once the route is confirmed.
Traditionally Cisco routers that handle VPN traffic as well won't route traffic in and out through the same interface. For example, if your router is the only access to the internet, a remote user with a VPN connection wouldn't be able to access the Internet through the VPN tunnel because the route would require forwarding the packets back out the interface that it comes in on.
However, in your case, you presumably have 2 internal VLANs and an Internet facing interface. So, there should be no reason why your REMOTE2 users can't access that XP machine once the route is confirmed.
Also, a static route to VLAN11 would need to be created on the RV042.
ASKER
That's what I figured; as we have multiple internal VLAN's and an internet facing interface.
Any help on setting up the routing correctly for this, both the correct static route on the RV042 and the necessary internal routing on the ASA?
Any help on setting up the routing correctly for this, both the correct static route on the RV042 and the necessary internal routing on the ASA?
Glad to try. Can you show me the routing table for both routers and identify the subnet behind the Linksys at the remote site?
ASKER
OK; think I have it all here (all IP's private and public changed, per policy and common sense).
I attached an image, as I couldn't get the formatting well in the code section here.
I attached an image, as I couldn't get the formatting well in the code section here.
ASKER
Hit submit too soon; here's the image.
routing-and-vpn-notes.jpg
routing-and-vpn-notes.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You probably will also need to add an ACL entry on the ASA to allow traffic from whatever REMOTE2's subnet is to get to VLAN11's subnet.
If there is equivilant permission control on the RV042 then you'll have to have an ACL entry that allows traffic from 10.137.1.0 to access REMOTE2's subnet.
Once you have the tunnels established, which you obviously do, It boils down to routing and access control.
If there is equivilant permission control on the RV042 then you'll have to have an ACL entry that allows traffic from 10.137.1.0 to access REMOTE2's subnet.
Once you have the tunnels established, which you obviously do, It boils down to routing and access control.
ASKER
Thanks very much.
I have tried that static route already, but now see why it's not working.
After adding the static route it does not appear in the routing table on the RV042, and via reading the documentation I see that static routes will not work if DHCP is enabled on the RV042.
So either I need to disable DHCP and statically assign IP's to all hosts (not a huge deal as there are only 4 hosts at this small remote site) or go with the ASA.
I will drive out there tomorrow to statically assign the IP addresses, and see if the static route then add's itself to the routing table.
I have tried that static route already, but now see why it's not working.
After adding the static route it does not appear in the routing table on the RV042, and via reading the documentation I see that static routes will not work if DHCP is enabled on the RV042.
So either I need to disable DHCP and statically assign IP's to all hosts (not a huge deal as there are only 4 hosts at this small remote site) or go with the ASA.
I will drive out there tomorrow to statically assign the IP addresses, and see if the static route then add's itself to the routing table.
That doesn't make any sense to me, but I'm not saying it's not true - nothing surprises me too much these days - but I find it difficult to accept. One doesn't have anything to do with the other. I looked at the documentation for that device and couldn't find that statement.
Don't take offense, but you aren't confusing static IP addressing with static routes are you? Page 19 of this doc http://www.cisco.com/en/US/docs/routers/csbr/rv042/admin/guide/RV042_V10_UG_C-WEB.pdf explains how to set static routes on the device.
Don't take offense, but you aren't confusing static IP addressing with static routes are you? Page 19 of this doc http://www.cisco.com/en/US/docs/routers/csbr/rv042/admin/guide/RV042_V10_UG_C-WEB.pdf explains how to set static routes on the device.
ASKER
No, it doesn't make any sense, I agree, but here it is within their online help for the static routing page:
Static Routing:
You will need to configure Static Routing if there are multiple routers installed on your network. The static routing function determines the path that data follows over your network before and after it passes through the Router. You can use static routing to allow different IP domain users to access the Internet through this device. This is an advanced feature. Please proceed with caution.
This Router is also capable of dynamic routing (see the Dynamic Routing tab). In many cases, it is better to use dynamic routing because the function will allow the Router to automatically adjust to physical changes in the network's layout. In order to use static routing, the Router's DHCP settings must be disabled.
Static Routing:
You will need to configure Static Routing if there are multiple routers installed on your network. The static routing function determines the path that data follows over your network before and after it passes through the Router. You can use static routing to allow different IP domain users to access the Internet through this device. This is an advanced feature. Please proceed with caution.
This Router is also capable of dynamic routing (see the Dynamic Routing tab). In many cases, it is better to use dynamic routing because the function will allow the Router to automatically adjust to physical changes in the network's layout. In order to use static routing, the Router's DHCP settings must be disabled.
ASKER
Hmm. re-reading it, possibly it's saying that the DHCP on the WAN side must be disabled and not the internal DHCP server itself.
Anyhow, when add a static route, it doesn't add the route to the routing table on the RV042.
Anyhow, when add a static route, it doesn't add the route to the routing table on the RV042.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Found this:
The 042 and 082 will not accept/route gateways that are at the other end of a VPN Tunnel. it will only do the auto created single static route in its own subnet.
So looks like the RV042 just isn't capable; we will be going the ASA route.
Thanks for your help!
The 042 and 082 will not accept/route gateways that are at the other end of a VPN Tunnel. it will only do the auto created single static route in its own subnet.
So looks like the RV042 just isn't capable; we will be going the ASA route.
Thanks for your help!
ASKER
RV042 is not capable of creating static routes with a gateway on the remote side of a VPN tunnel.
How very disappointing to learn of that limitation, but glad to see that you have a clear answer.