Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1963
  • Last Modified:

Cisco ASA and Linksys RV042 VLAN - Multiple Subents

We have a situation where we have a Cisco ASA 5505 Security+ device on one WAN IP and a Linksys RV042 on another WAN IP that are setup with a site-to-site VPN tunnel.Each side is tunneling a specific subnet to each other and this works fine.

Management would like to be able to tunnel (2) subnets on the ASA side to the single subnet on the RV042 side, though I am unsure of the possibility of this without replacing the RV042 with a similar ASA (which is doable budget-wise, but they'd rather not).  I did setup a duplicate tunnel, for testing, on the RV042 (so there were (2) simultaneous tunnels) with the single WAN IP where the ASA sits. This *worked*. but we did end up running into situations where certain other tunnels stopped working or all of the tunnels stopped working altogether (since we were more or less doing something on the RV042 that wasn't necessarily meant to be).

Unfortunately I don't see anything on the RV042 to tunnel multiple subnets within a single IPSEC session, so I'm curious if I couldn't set up a sort of static route on the RV042 so that it could access the second VLAN on the ASA side.

Basically, the main tunnel is between 10.0.0.0/24 on the RV042 side and 10.1.1.24 on the ASA side, but we have a web server on subnet 10.3.3.0/24 on the ASA that needs to be accessed from the RV042 side. Would a static route work for this?
0
Tercestisi
Asked:
Tercestisi
  • 5
  • 2
2 Solutions
 
FideliusCommented:
Hi,

If you can re-address networks on ASA side, to something like:
10.1.1.0/24 ---> 10.2.2.0/24
Then you could supernet networks on RV042 side to 10.2.2.0/23. Unfortunately on current addresses setup you can't use /23.

Regards!

0
 
crouthamelaCommented:
Yeah I think your best option is to replace the RV042 since it is limited to building the tunnel to whatever single LAN network is configured.
0
 
TercestisiAuthor Commented:
So vlan 10 and vlan 11 sit on the ASA side, and there currently is a site-to-site tunnel between the RV042 site and vlan 10; there is only a single host on vlan 11 that the RV042 site needs access to.

We have an extra RV042 laying around; what if I were to put that into routing mode, and plug the WAN side into a vlan 10 and plug the LAN side into vlan 11, and simply port forward to the host in question. Therefore there would be an IP address on the vlan 10 side and thus would be accessible.

Sound reasonable?
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
TercestisiAuthor Commented:
My only concern is that I don't want to put this extra RV042 in between any of the existing equipment, and would rather plug the WAN side into an HP Procurve switch that is connected to a Catalyst 2960 on a port that has switchport access vlan 10 and the LAN side into another HP Procurve switch that is connected to the same Catalyst 2960 on a port that has switchport access vlan 11.

So it would more or less be hanging off, just doing some routing for this situation. Would this work; I'm on the fence with this. Some static routing would need to be setup at the very least? Say the WAN side of the RV042 has an IP address of 10.1.1.100 and has a PAT rule to translate 10.1.1.100:8080 to 10.3.3.5:80 (the web server); the web server wouldn't have to be directly connected to the RV042... it could hang off another switch, as long as that switch is eventually connected to this second RV042.

I attached a quick drawing to make it easier.
0
 
TercestisiAuthor Commented:
0
 
FideliusCommented:
Hi Tercestisi,

Correction to my first post, address should be 10.3.2.0/24, not 10.2.2.0/24

So, as I said in my first post, if you can readdress VLAN10 to 10.3.2.0/24, then you don't need another RV042. You can just use subnet 10.3.2.0/23 in existing RV042 instead of 10.1.1.0/24, and setup ASA crypto-map accordingly.

Other solution that is possible, if you need only 10.3.3.5 address to be accessible from remote site, you can put static NAT statement on ASA for that host:
static (inside,outside) 10.1.1.100 10.3.3.5 netmask 255.255.255.255


Regards!
0
 
TercestisiAuthor Commented:
Question resolved here:

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_26505310.html

Static routing table on RV042 won't allow a remote gateway over a VPN tunnel; reassigning network subnet is not an option.

Thanks for your help.
0
 
TercestisiAuthor Commented:
Also, I tried the static NAT route; that works fine for local access (I can sit on 10.3.3.0/24 and hit 10.3.3.5 and translate to 10.1.1.100.

Unfortunately, I cannot access through a VPN tunnel, even if it is tunneled to the 10.3.3.0/24 network.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now