We help IT Professionals succeed at work.

RV042 gateway to gateway no remote access

Medium Priority
2,903 Views
1 Endorsement
Last Modified: 2012-04-04
Hi, I have two Cisco RV042's with the most current firmware. Both have configured proper gateway to gateway connections and the connection is active.

Inside the router(s) I can use the diagnostics ping to ping anything on the remote network.

However neither network can converse with one another.

Both are on a static IP with no firewall and no NAT. Directly connected to a Comcast business class router with a public IP assigned to each one.

Settings are as follows:

Router #1

Local Security Gateway Type : IP only (Static IP)
Local security group type: Subnet
Local IP: 192.168.1.0
Subnet: 255.255.255.0

Remote Security Gateway Type: IP (Static IP of remote RV042)
Local Security Group type: Subnet
Local IP: 192.168.2.0
Subnet: 255.255.255.0

IKE Preshared
Group 1 768Bit
DES/MD5/1

Phase 2:
Group1 768Bit
3DES/MD5/1

Keep Alive and Dead Peer are on.

Same for remote but flipped local and remote + statics.

Again the VPN is connected and active. Confirmed working by diagnostic remote pinging from gateway to remote client machine. however local client machine cannot ping or access remote and vise-versa.
Comment
Watch Question

Henk van AchterbergSr. Technical Consultant
Top Expert 2012

Commented:
Did you enable the firewall and if so did you create a rule for the vpn?

Author

Commented:
I have the firewall disabled. Should I enable it and create an access rule for the traffic? If so what should the rule be?

Thanks!
Fred MarshallPrincipal
CERTIFIED EXPERT

Commented:
I don't think you can have both of them behind a router as you do.   You can do it with *one* of them behind a router but not both .. when using for VPN terminations.  Been there, done that.  Somewhere there's a document that says this but I can't tell you where it is right now.
Fred MarshallPrincipal
CERTIFIED EXPERT

Commented:
So, a better idea is to have at least one of them be the internet gateway with an external public ip address.

Author

Commented:
Both of them are the internet gateway  with an external IP address. the modem (comcast) had disable firewall for true static IP on.
Fred MarshallPrincipal
CERTIFIED EXPERT

Commented:
Hmmmmmm.... I posted a reponse but it's not here.

You say: "neither network can converse with one another" so, if the tunnels are up then this suggests routing or firewall issues.

With the RV042s as the internet gateways then I presume that their LAN addresses are what the computers, etc. are pointed to as "gateway".  Then routing to the tunnel should be internal to the RV042 without any other routing needed.

I have seen the lack of file sharing due to the Windows 7 firewall.  So here are instructions I wrote to fix that for site-to-site file access on Windows 7 machines.
Windows-7-File-and-Printer-Shari.pdf

Author

Commented:
Thanks fmarshall,

  I forgot to mention these are all on mac. By default they should not have a firewall. And I know that they are conversing because the remote router can ping the workstations.
Fred MarshallPrincipal
CERTIFIED EXPERT

Commented:
Either they are "conversing" (whatever that means) or they are not "conversing" as you said in your original question posting.  So, which is it?  Please use more common terms like: "can't see shared files" "can't see shared or network printers", etc.
Fred MarshallPrincipal
CERTIFIED EXPERT

Commented:
The other thing is name service.  How are you trying to access shared files?  
I'm not used to using Macs.  With Windows there can be name service via NetBIOS.  The RV042 VPNs can be set to either allow or not allow NetBIOS traffic.  Normally I keep the NetBios traffic turned off and use IP addresses for access.

On a Windows machine:
Start / Run
\\10.10.10.10     ..... or whatever IP address I want to reach.
and then the shared folders open up in a Windows Explorer window.

So, you need to know how you're connecting.

If only the remote router can ping the remote computers then that means there is something left to configure.

What are the RV042 ip addresses on the LANs?
What are the computer ip address range on the LANs?
What happens if you run a traceroute from a PC to a remote PC?
Commented:
On a Windows machine:
Start / Run
\\10.10.10.10     ..... or whatever IP address I want to reach.
and then the shared folders open up in a Windows Explorer window.

I can only ping the remote computers from the VPN router itself. i.e., a VPN tunnel is created and under diagnostic, I can go to ping and then choose something like the remote office's server. It responds. However if I go let's say. A workstation on my network and attempt to ping the remote server. No response. Im ping by IP address not hostname.

So, you need to know how you're connecting.

If only the remote router can ping the remote computers then that means there is something left to configure.

What are the RV042 ip addresses on the LANs?  Office 1: 192.168.2.254 (LAN Gateway IP  as well as the Gateway and DNS server for machines) Office 2: 192.168.1.254 (LAN Gateway IP as well as the Gateway and DNS Server for machines)
What are the computer ip address range on the LANs? Office 1: 192.168.2.15~150 Office 2" 192.168.1.15~150
What happens if you run a traceroute from a PC to a remote PC? If I start a trace route it literally sends it off into the internet. I've attached a copy.
Trace.txt
Fred MarshallPrincipal
CERTIFIED EXPERT

Commented:
There should be no public addresses in the trace.
This suggests that the RV042 isn't routing into the tunnel - which puzzles me.

I don't recall having this issue with internet-based VPNs on the RV042.
But, I'd try this then:

On the RV042s do this:
First, look at the routing table
Setup / Advanced Routing at the bottom of the page: Show Routing Table
Now, I should think that the tunnel setup would have caught the subnets and put them in the routing table.  They should already be there as:
Destination    Subnet              Default Gateway     Hop Count   Interface
192.168.2.0  255.255.255.0    192.168.1.0                     x               tunnelxx

well, something like that.  I don't have one to look at right now.
My recollection is that the interface *will* show one of the tunnels if its set up.

I was going to suggest that you add a route.  But because you need a tunnel to refer to then you should NOT have routes that say:
192.168.2.0  255.255.255.0 goes to the WAN interface!!
maybe that's what you have and then I'd suggest you remove it.

Author

Commented:
Great answer, I had to do a little bit of work around but was able to get it up and running =)

Explore More ContentExplore courses, solutions, and other research materials related to this topic.