Solved

Cisco ASA and Linksys RV042 VLAN - Multiple Subents

Posted on 2010-09-14
8
1,941 Views
Last Modified: 2012-05-10
We have a situation where we have a Cisco ASA 5505 Security+ device on one WAN IP and a Linksys RV042 on another WAN IP that are setup with a site-to-site VPN tunnel.Each side is tunneling a specific subnet to each other and this works fine.

Management would like to be able to tunnel (2) subnets on the ASA side to the single subnet on the RV042 side, though I am unsure of the possibility of this without replacing the RV042 with a similar ASA (which is doable budget-wise, but they'd rather not).  I did setup a duplicate tunnel, for testing, on the RV042 (so there were (2) simultaneous tunnels) with the single WAN IP where the ASA sits. This *worked*. but we did end up running into situations where certain other tunnels stopped working or all of the tunnels stopped working altogether (since we were more or less doing something on the RV042 that wasn't necessarily meant to be).

Unfortunately I don't see anything on the RV042 to tunnel multiple subnets within a single IPSEC session, so I'm curious if I couldn't set up a sort of static route on the RV042 so that it could access the second VLAN on the ASA side.

Basically, the main tunnel is between 10.0.0.0/24 on the RV042 side and 10.1.1.24 on the ASA side, but we have a web server on subnet 10.3.3.0/24 on the ASA that needs to be accessed from the RV042 side. Would a static route work for this?
0
Comment
Question by:Tercestisi
  • 5
  • 2
8 Comments
 
LVL 12

Expert Comment

by:Fidelius
ID: 33680127
Hi,

If you can re-address networks on ASA side, to something like:
10.1.1.0/24 ---> 10.2.2.0/24
Then you could supernet networks on RV042 side to 10.2.2.0/23. Unfortunately on current addresses setup you can't use /23.

Regards!

0
 
LVL 11

Expert Comment

by:crouthamela
ID: 33681514
Yeah I think your best option is to replace the RV042 since it is limited to building the tunnel to whatever single LAN network is configured.
0
 

Author Comment

by:Tercestisi
ID: 33684790
So vlan 10 and vlan 11 sit on the ASA side, and there currently is a site-to-site tunnel between the RV042 site and vlan 10; there is only a single host on vlan 11 that the RV042 site needs access to.

We have an extra RV042 laying around; what if I were to put that into routing mode, and plug the WAN side into a vlan 10 and plug the LAN side into vlan 11, and simply port forward to the host in question. Therefore there would be an IP address on the vlan 10 side and thus would be accessible.

Sound reasonable?
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:Tercestisi
ID: 33685103
My only concern is that I don't want to put this extra RV042 in between any of the existing equipment, and would rather plug the WAN side into an HP Procurve switch that is connected to a Catalyst 2960 on a port that has switchport access vlan 10 and the LAN side into another HP Procurve switch that is connected to the same Catalyst 2960 on a port that has switchport access vlan 11.

So it would more or less be hanging off, just doing some routing for this situation. Would this work; I'm on the fence with this. Some static routing would need to be setup at the very least? Say the WAN side of the RV042 has an IP address of 10.1.1.100 and has a PAT rule to translate 10.1.1.100:8080 to 10.3.3.5:80 (the web server); the web server wouldn't have to be directly connected to the RV042... it could hang off another switch, as long as that switch is eventually connected to this second RV042.

I attached a quick drawing to make it easier.
0
 

Author Comment

by:Tercestisi
ID: 33685107
0
 
LVL 12

Assisted Solution

by:Fidelius
Fidelius earned 500 total points
ID: 33699264
Hi Tercestisi,

Correction to my first post, address should be 10.3.2.0/24, not 10.2.2.0/24

So, as I said in my first post, if you can readdress VLAN10 to 10.3.2.0/24, then you don't need another RV042. You can just use subnet 10.3.2.0/23 in existing RV042 instead of 10.1.1.0/24, and setup ASA crypto-map accordingly.

Other solution that is possible, if you need only 10.3.3.5 address to be accessible from remote site, you can put static NAT statement on ASA for that host:
static (inside,outside) 10.1.1.100 10.3.3.5 netmask 255.255.255.255


Regards!
0
 

Accepted Solution

by:
Tercestisi earned 0 total points
ID: 33810067
Question resolved here:

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_26505310.html

Static routing table on RV042 won't allow a remote gateway over a VPN tunnel; reassigning network subnet is not an option.

Thanks for your help.
0
 

Author Comment

by:Tercestisi
ID: 33810450
Also, I tried the static NAT route; that works fine for local access (I can sit on 10.3.3.0/24 and hit 10.3.3.5 and translate to 10.1.1.100.

Unfortunately, I cannot access through a VPN tunnel, even if it is tunneled to the 10.3.3.0/24 network.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question