Dennis Traina
asked on
Site To Site IPSec VPN Network Resource Issue
I need to do a site to site IPSec VPN with an outside vendor so they can access a server on my network. On my end I am using a Cisco RV320 Small Business VPN Router. RV320 Manual.
The vendor and I both use the same subnet 10.1.10.0. Neither of us can change our subnet.
My office is pretty small so all network devices were on the default VLAN. No other VLANS were defined.
To try to work around the subnet problem:
The outside vendor can connect, access the GUI for router (which they shouldn't be able to) but not access the server on port 80.
The way it is setup, it should connect the vendor to my network, and they should just be accessing the 10.1.12.0 subnet. The server they need to access is 10.1.12.13 (static address, the only device on the VLAN besides the router). They can access the GUI of the router but not the server on port 80. Full disclosure - this server has (2) NICs. One has a static IP of 10.1.10.13 and the other 10.1.12.13. Basically, I need the server to be available to both subnets.
Am I missing something? Is what I want to do even possible? Not experienced with this.
The vendor and I both use the same subnet 10.1.10.0. Neither of us can change our subnet.
My office is pretty small so all network devices were on the default VLAN. No other VLANS were defined.
To try to work around the subnet problem:
- I created a second VLAN - 10.1.12.0.
- I setup the VPN to connect to that VLAN
- I wired the server to LAN3 on the Cisco.
- I used Port Management > VLAN Membership and set Inter VLAN Routing to Disabled for both VLANS.
- For VLAN1 (10.1.10.0) I set LAN1 and LAN2 to untagged / LAN3 and LAN4 to excluded
- For VLAN2 (10.1.12.0) I set LAN1 and LAN2 to excluded / LAN3 and LAN4 to untagged
- For VLAN2 (10.1.12.0_ I set Device Management to disabled
The outside vendor can connect, access the GUI for router (which they shouldn't be able to) but not access the server on port 80.
The way it is setup, it should connect the vendor to my network, and they should just be accessing the 10.1.12.0 subnet. The server they need to access is 10.1.12.13 (static address, the only device on the VLAN besides the router). They can access the GUI of the router but not the server on port 80. Full disclosure - this server has (2) NICs. One has a static IP of 10.1.10.13 and the other 10.1.12.13. Basically, I need the server to be available to both subnets.
Am I missing something? Is what I want to do even possible? Not experienced with this.
ASKER
I was hoping by isolating the two VLANS, and directing the VPN to the subnet that is different than the vendor's, it would work.
Cisco RV320 does do not generalized VLAN's (I have tried that).
ASKER
What is odd is they can hit the GUI for the router at 10.1.12.1 and the server I need them to access is 10.1.12.13. Accessing both on port 80, the router interface loads but the website on .13 does not. Changing the subnet will not be fun. IS there another router that will do the job?
The GUI setup can only handle one IP address. I am not sure what other router might work, but people here (old threads) have used routing to sometimes (only sometimes) allow same subnets. I have not.
Changing subnets is not fun, agree, but we have done for the longer term payback.
Changing subnets is not fun, agree, but we have done for the longer term payback.
So it sounds like you set up everything correctly in terms of the router... is the firmware up to date? And routers do normally make themselves available at .x on every subnet that's defined on it. But given you disabled Device Management, it sounds like a bug.
As for your server issue.. what type of server is it exactly? I'm assuming both NICs are enabled, etc. The dual network setup is something that is generally discouraged for a number of reasons. Assuming that it is a Windows server, you may need to check Windows Firewall (or any other application on there that acts as a firewall). Also some applications might not necessarily play nicely with a second NIC.
Do you have a screenshot of your site to site VPN settings? (Please fuzz out anything showing public IPs)
As for your server issue.. what type of server is it exactly? I'm assuming both NICs are enabled, etc. The dual network setup is something that is generally discouraged for a number of reasons. Assuming that it is a Windows server, you may need to check Windows Firewall (or any other application on there that acts as a firewall). Also some applications might not necessarily play nicely with a second NIC.
Do you have a screenshot of your site to site VPN settings? (Please fuzz out anything showing public IPs)
ASKER
It is a Windows 2008 Server. OS firewall disabled. Router Firmware is up to date.
Those settings are almost the same (IP addresses different) than my own RV325 (320) settings
You have Device Management enabled on VLAN2. You need to disable that.
ASKER
I agree it should be disabled. My primary focus is VLAN1. That is just for my vendor to VPN onto and access the server. The connection to the server always times out even thought the tunnel is connected. Is my second VLAN that has the same subnet as my vendor affecting this connection even thought the VLANS are isolated from one another?
Did you make any interesting routing rules while you were setting things up?
Also you should take a look at the logs.
Also you should take a look at the logs.
ASKER
No other configuration done. Looks like I will be changing my subnet tomorrow.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I suggested changing the subnet, so why no credit for it, I do not understand
I do not think this router can deal with same subnets, so you would have to do routing outside of that, or try a much more advanced router.
I never use same subnets. In all my cases at least one end can switch.