Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA and Linksys RV042 VLAN - Multiple Subents

Posted on 2010-09-14
8
Medium Priority
?
1,957 Views
Last Modified: 2012-05-10
We have a situation where we have a Cisco ASA 5505 Security+ device on one WAN IP and a Linksys RV042 on another WAN IP that are setup with a site-to-site VPN tunnel.Each side is tunneling a specific subnet to each other and this works fine.

Management would like to be able to tunnel (2) subnets on the ASA side to the single subnet on the RV042 side, though I am unsure of the possibility of this without replacing the RV042 with a similar ASA (which is doable budget-wise, but they'd rather not).  I did setup a duplicate tunnel, for testing, on the RV042 (so there were (2) simultaneous tunnels) with the single WAN IP where the ASA sits. This *worked*. but we did end up running into situations where certain other tunnels stopped working or all of the tunnels stopped working altogether (since we were more or less doing something on the RV042 that wasn't necessarily meant to be).

Unfortunately I don't see anything on the RV042 to tunnel multiple subnets within a single IPSEC session, so I'm curious if I couldn't set up a sort of static route on the RV042 so that it could access the second VLAN on the ASA side.

Basically, the main tunnel is between 10.0.0.0/24 on the RV042 side and 10.1.1.24 on the ASA side, but we have a web server on subnet 10.3.3.0/24 on the ASA that needs to be accessed from the RV042 side. Would a static route work for this?
0
Comment
Question by:Tercestisi
  • 5
  • 2
8 Comments
 
LVL 12

Expert Comment

by:Fidelius
ID: 33680127
Hi,

If you can re-address networks on ASA side, to something like:
10.1.1.0/24 ---> 10.2.2.0/24
Then you could supernet networks on RV042 side to 10.2.2.0/23. Unfortunately on current addresses setup you can't use /23.

Regards!

0
 
LVL 11

Expert Comment

by:crouthamela
ID: 33681514
Yeah I think your best option is to replace the RV042 since it is limited to building the tunnel to whatever single LAN network is configured.
0
 

Author Comment

by:Tercestisi
ID: 33684790
So vlan 10 and vlan 11 sit on the ASA side, and there currently is a site-to-site tunnel between the RV042 site and vlan 10; there is only a single host on vlan 11 that the RV042 site needs access to.

We have an extra RV042 laying around; what if I were to put that into routing mode, and plug the WAN side into a vlan 10 and plug the LAN side into vlan 11, and simply port forward to the host in question. Therefore there would be an IP address on the vlan 10 side and thus would be accessible.

Sound reasonable?
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 

Author Comment

by:Tercestisi
ID: 33685103
My only concern is that I don't want to put this extra RV042 in between any of the existing equipment, and would rather plug the WAN side into an HP Procurve switch that is connected to a Catalyst 2960 on a port that has switchport access vlan 10 and the LAN side into another HP Procurve switch that is connected to the same Catalyst 2960 on a port that has switchport access vlan 11.

So it would more or less be hanging off, just doing some routing for this situation. Would this work; I'm on the fence with this. Some static routing would need to be setup at the very least? Say the WAN side of the RV042 has an IP address of 10.1.1.100 and has a PAT rule to translate 10.1.1.100:8080 to 10.3.3.5:80 (the web server); the web server wouldn't have to be directly connected to the RV042... it could hang off another switch, as long as that switch is eventually connected to this second RV042.

I attached a quick drawing to make it easier.
0
 

Author Comment

by:Tercestisi
ID: 33685107
0
 
LVL 12

Assisted Solution

by:Fidelius
Fidelius earned 2000 total points
ID: 33699264
Hi Tercestisi,

Correction to my first post, address should be 10.3.2.0/24, not 10.2.2.0/24

So, as I said in my first post, if you can readdress VLAN10 to 10.3.2.0/24, then you don't need another RV042. You can just use subnet 10.3.2.0/23 in existing RV042 instead of 10.1.1.0/24, and setup ASA crypto-map accordingly.

Other solution that is possible, if you need only 10.3.3.5 address to be accessible from remote site, you can put static NAT statement on ASA for that host:
static (inside,outside) 10.1.1.100 10.3.3.5 netmask 255.255.255.255


Regards!
0
 

Accepted Solution

by:
Tercestisi earned 0 total points
ID: 33810067
Question resolved here:

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_26505310.html

Static routing table on RV042 won't allow a remote gateway over a VPN tunnel; reassigning network subnet is not an option.

Thanks for your help.
0
 

Author Comment

by:Tercestisi
ID: 33810450
Also, I tried the static NAT route; that works fine for local access (I can sit on 10.3.3.0/24 and hit 10.3.3.5 and translate to 10.1.1.100.

Unfortunately, I cannot access through a VPN tunnel, even if it is tunneled to the 10.3.3.0/24 network.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question