?
Solved

Cisco ASA and Linksys RV042 VLAN - Multiple Subents

Posted on 2010-09-14
8
Medium Priority
?
1,950 Views
Last Modified: 2012-05-10
We have a situation where we have a Cisco ASA 5505 Security+ device on one WAN IP and a Linksys RV042 on another WAN IP that are setup with a site-to-site VPN tunnel.Each side is tunneling a specific subnet to each other and this works fine.

Management would like to be able to tunnel (2) subnets on the ASA side to the single subnet on the RV042 side, though I am unsure of the possibility of this without replacing the RV042 with a similar ASA (which is doable budget-wise, but they'd rather not).  I did setup a duplicate tunnel, for testing, on the RV042 (so there were (2) simultaneous tunnels) with the single WAN IP where the ASA sits. This *worked*. but we did end up running into situations where certain other tunnels stopped working or all of the tunnels stopped working altogether (since we were more or less doing something on the RV042 that wasn't necessarily meant to be).

Unfortunately I don't see anything on the RV042 to tunnel multiple subnets within a single IPSEC session, so I'm curious if I couldn't set up a sort of static route on the RV042 so that it could access the second VLAN on the ASA side.

Basically, the main tunnel is between 10.0.0.0/24 on the RV042 side and 10.1.1.24 on the ASA side, but we have a web server on subnet 10.3.3.0/24 on the ASA that needs to be accessed from the RV042 side. Would a static route work for this?
0
Comment
Question by:Tercestisi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
8 Comments
 
LVL 12

Expert Comment

by:Fidelius
ID: 33680127
Hi,

If you can re-address networks on ASA side, to something like:
10.1.1.0/24 ---> 10.2.2.0/24
Then you could supernet networks on RV042 side to 10.2.2.0/23. Unfortunately on current addresses setup you can't use /23.

Regards!

0
 
LVL 11

Expert Comment

by:crouthamela
ID: 33681514
Yeah I think your best option is to replace the RV042 since it is limited to building the tunnel to whatever single LAN network is configured.
0
 

Author Comment

by:Tercestisi
ID: 33684790
So vlan 10 and vlan 11 sit on the ASA side, and there currently is a site-to-site tunnel between the RV042 site and vlan 10; there is only a single host on vlan 11 that the RV042 site needs access to.

We have an extra RV042 laying around; what if I were to put that into routing mode, and plug the WAN side into a vlan 10 and plug the LAN side into vlan 11, and simply port forward to the host in question. Therefore there would be an IP address on the vlan 10 side and thus would be accessible.

Sound reasonable?
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 

Author Comment

by:Tercestisi
ID: 33685103
My only concern is that I don't want to put this extra RV042 in between any of the existing equipment, and would rather plug the WAN side into an HP Procurve switch that is connected to a Catalyst 2960 on a port that has switchport access vlan 10 and the LAN side into another HP Procurve switch that is connected to the same Catalyst 2960 on a port that has switchport access vlan 11.

So it would more or less be hanging off, just doing some routing for this situation. Would this work; I'm on the fence with this. Some static routing would need to be setup at the very least? Say the WAN side of the RV042 has an IP address of 10.1.1.100 and has a PAT rule to translate 10.1.1.100:8080 to 10.3.3.5:80 (the web server); the web server wouldn't have to be directly connected to the RV042... it could hang off another switch, as long as that switch is eventually connected to this second RV042.

I attached a quick drawing to make it easier.
0
 

Author Comment

by:Tercestisi
ID: 33685107
0
 
LVL 12

Assisted Solution

by:Fidelius
Fidelius earned 2000 total points
ID: 33699264
Hi Tercestisi,

Correction to my first post, address should be 10.3.2.0/24, not 10.2.2.0/24

So, as I said in my first post, if you can readdress VLAN10 to 10.3.2.0/24, then you don't need another RV042. You can just use subnet 10.3.2.0/23 in existing RV042 instead of 10.1.1.0/24, and setup ASA crypto-map accordingly.

Other solution that is possible, if you need only 10.3.3.5 address to be accessible from remote site, you can put static NAT statement on ASA for that host:
static (inside,outside) 10.1.1.100 10.3.3.5 netmask 255.255.255.255


Regards!
0
 

Accepted Solution

by:
Tercestisi earned 0 total points
ID: 33810067
Question resolved here:

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_26505310.html

Static routing table on RV042 won't allow a remote gateway over a VPN tunnel; reassigning network subnet is not an option.

Thanks for your help.
0
 

Author Comment

by:Tercestisi
ID: 33810450
Also, I tried the static NAT route; that works fine for local access (I can sit on 10.3.3.0/24 and hit 10.3.3.5 and translate to 10.1.1.100.

Unfortunately, I cannot access through a VPN tunnel, even if it is tunneled to the 10.3.3.0/24 network.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question