Cisco ASA and Linksys RV042 VLAN - Multiple Subents
We have a situation where we have a Cisco ASA 5505 Security+ device on one WAN IP and a Linksys RV042 on another WAN IP that are setup with a site-to-site VPN tunnel.Each side is tunneling a specific subnet to each other and this works fine.
Management would like to be able to tunnel (2) subnets on the ASA side to the single subnet on the RV042 side, though I am unsure of the possibility of this without replacing the RV042 with a similar ASA (which is doable budget-wise, but they'd rather not). I did setup a duplicate tunnel, for testing, on the RV042 (so there were (2) simultaneous tunnels) with the single WAN IP where the ASA sits. This *worked*. but we did end up running into situations where certain other tunnels stopped working or all of the tunnels stopped working altogether (since we were more or less doing something on the RV042 that wasn't necessarily meant to be).
Unfortunately I don't see anything on the RV042 to tunnel multiple subnets within a single IPSEC session, so I'm curious if I couldn't set up a sort of static route on the RV042 so that it could access the second VLAN on the ASA side.
Basically, the main tunnel is between 10.0.0.0/24 on the RV042 side and 10.1.1.24 on the ASA side, but we have a web server on subnet 10.3.3.0/24 on the ASA that needs to be accessed from the RV042 side. Would a static route work for this?
Management would like to be able to tunnel (2) subnets on the ASA side to the single subnet on the RV042 side, though I am unsure of the possibility of this without replacing the RV042 with a similar ASA (which is doable budget-wise, but they'd rather not). I did setup a duplicate tunnel, for testing, on the RV042 (so there were (2) simultaneous tunnels) with the single WAN IP where the ASA sits. This *worked*. but we did end up running into situations where certain other tunnels stopped working or all of the tunnels stopped working altogether (since we were more or less doing something on the RV042 that wasn't necessarily meant to be).
Unfortunately I don't see anything on the RV042 to tunnel multiple subnets within a single IPSEC session, so I'm curious if I couldn't set up a sort of static route on the RV042 so that it could access the second VLAN on the ASA side.
Basically, the main tunnel is between 10.0.0.0/24 on the RV042 side and 10.1.1.24 on the ASA side, but we have a web server on subnet 10.3.3.0/24 on the ASA that needs to be accessed from the RV042 side. Would a static route work for this?
Yeah I think your best option is to replace the RV042 since it is limited to building the tunnel to whatever single LAN network is configured.
ASKER
So vlan 10 and vlan 11 sit on the ASA side, and there currently is a site-to-site tunnel between the RV042 site and vlan 10; there is only a single host on vlan 11 that the RV042 site needs access to.
We have an extra RV042 laying around; what if I were to put that into routing mode, and plug the WAN side into a vlan 10 and plug the LAN side into vlan 11, and simply port forward to the host in question. Therefore there would be an IP address on the vlan 10 side and thus would be accessible.
Sound reasonable?
We have an extra RV042 laying around; what if I were to put that into routing mode, and plug the WAN side into a vlan 10 and plug the LAN side into vlan 11, and simply port forward to the host in question. Therefore there would be an IP address on the vlan 10 side and thus would be accessible.
Sound reasonable?
ASKER
My only concern is that I don't want to put this extra RV042 in between any of the existing equipment, and would rather plug the WAN side into an HP Procurve switch that is connected to a Catalyst 2960 on a port that has switchport access vlan 10 and the LAN side into another HP Procurve switch that is connected to the same Catalyst 2960 on a port that has switchport access vlan 11.
So it would more or less be hanging off, just doing some routing for this situation. Would this work; I'm on the fence with this. Some static routing would need to be setup at the very least? Say the WAN side of the RV042 has an IP address of 10.1.1.100 and has a PAT rule to translate 10.1.1.100:8080 to 10.3.3.5:80 (the web server); the web server wouldn't have to be directly connected to the RV042... it could hang off another switch, as long as that switch is eventually connected to this second RV042.
I attached a quick drawing to make it easier.
So it would more or less be hanging off, just doing some routing for this situation. Would this work; I'm on the fence with this. Some static routing would need to be setup at the very least? Say the WAN side of the RV042 has an IP address of 10.1.1.100 and has a PAT rule to translate 10.1.1.100:8080 to 10.3.3.5:80 (the web server); the web server wouldn't have to be directly connected to the RV042... it could hang off another switch, as long as that switch is eventually connected to this second RV042.
I attached a quick drawing to make it easier.
ASKER
Image
routing-proposition.jpg
routing-proposition.jpg
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Also, I tried the static NAT route; that works fine for local access (I can sit on 10.3.3.0/24 and hit 10.3.3.5 and translate to 10.1.1.100.
Unfortunately, I cannot access through a VPN tunnel, even if it is tunneled to the 10.3.3.0/24 network.
Unfortunately, I cannot access through a VPN tunnel, even if it is tunneled to the 10.3.3.0/24 network.
If you can re-address networks on ASA side, to something like:
10.1.1.0/24 ---> 10.2.2.0/24
Then you could supernet networks on RV042 side to 10.2.2.0/23. Unfortunately on current addresses setup you can't use /23.
Regards!