Site To Site IPSec VPN Network Resource Issue

Dennis Traina
Dennis Traina used Ask the Experts™
on
I need to do a site to site IPSec VPN with an outside vendor so they can access a server on my network. On my end I am using a Cisco RV320 Small Business VPN Router. RV320 Manual.

The vendor and I both use the same subnet 10.1.10.0. Neither of us can change our subnet.

My office is pretty small so all network devices were on the default VLAN. No other VLANS were defined.

To try to work around the subnet problem:
  • I created a second VLAN - 10.1.12.0.

  • I setup the VPN to connect to that VLAN
  • I wired the server to LAN3 on the Cisco.

  • I used Port Management > VLAN Membership and set Inter VLAN Routing to Disabled for both VLANS.
  • For VLAN1 (10.1.10.0) I set LAN1 and LAN2 to untagged / LAN3 and LAN4 to excluded
  • For VLAN2 (10.1.12.0) I set LAN1 and LAN2 to excluded / LAN3 and LAN4 to untagged
  • For VLAN2 (10.1.12.0_ I set Device Management to disabled

The outside vendor can connect, access the GUI for router (which they shouldn't be able to) but not access the server on port 80.

The way it is setup, it should connect the vendor to my network, and they should just be accessing the 10.1.12.0 subnet. The server they need to access is 10.1.12.13 (static address, the only device on the VLAN besides the router). They can access the GUI of the router but not the server on port 80. Full disclosure - this server has (2) NICs. One has a static IP of 10.1.10.13 and the other 10.1.12.13. Basically, I need the server to be available to both subnets.

Am I missing something? Is what I want to do even possible? Not experienced with this.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I have site-to-site tunnels with a Cisco RV325 (320) routers and the tunnels work fine using different subnets on each end.

I do not think this router can deal with same subnets, so you would have to do routing outside of that, or try a much more advanced router.

I never use same subnets. In all my cases at least one end can switch.
Dennis TrainaInformation Technology Manager

Author

Commented:
I was hoping by isolating the two VLANS, and directing the VPN to the subnet that is different than the vendor's, it would work.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Cisco RV320 does do not generalized VLAN's (I have tried that).
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Dennis TrainaInformation Technology Manager

Author

Commented:
What is odd is they can hit the GUI for the router at 10.1.12.1 and the server I need them to access is 10.1.12.13. Accessing both on port 80, the router interface loads but the website on .13 does not. Changing the subnet will not be fun. IS there another router that will do the job?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
The GUI setup can only handle one IP address. I am not sure what other router might work, but people here (old threads) have used routing to sometimes (only sometimes) allow same subnets. I have not.

Changing subnets is not fun, agree, but we have done for the longer term payback.
Distinguished Expert 2018

Commented:
So it sounds like you set up everything correctly in terms of the router... is the firmware up to date? And routers do normally make themselves available at .x on every subnet that's defined on it. But given you disabled Device Management, it sounds like a bug.

As for your server issue.. what type of server is it exactly? I'm assuming both NICs are enabled, etc. The dual network setup is something that is generally discouraged for a number of reasons. Assuming that it is a Windows server, you may need to check Windows Firewall (or any other application on there that acts as a firewall). Also some applications might not necessarily play nicely with a second NIC.

Do you have a screenshot of your site to site VPN settings? (Please fuzz out anything showing public IPs)
Dennis TrainaInformation Technology Manager

Author

Commented:
It is a Windows 2008 Server. OS firewall disabled. Router Firmware is up to date.
VPN OverviewVPN SettingsVLAN OverviewVLANSGeneral FirewallFW Access Rules
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Those settings are almost the same (IP addresses different) than my own RV325 (320) settings
Distinguished Expert 2018

Commented:
You have Device Management enabled on VLAN2. You need to disable that.
Dennis TrainaInformation Technology Manager

Author

Commented:
I agree it should be disabled. My primary focus is VLAN1. That is just for my vendor to VPN onto and access the server. The connection to the server always times out even thought the tunnel is connected. Is my second VLAN that has the same subnet as my vendor affecting this connection even thought the VLANS are isolated from one another?
Distinguished Expert 2018

Commented:
Did you make any interesting routing rules while you were setting things up?

Also you should take a look at the logs.
Dennis TrainaInformation Technology Manager

Author

Commented:
No other configuration done. Looks like I will be changing my subnet tomorrow.
Distinguished Expert 2018
Commented:
I would at least check the logs first. You may find a simple answer in them. If push comes to shove then consider changing your subnet.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I suggested changing the subnet, so why no credit for it, I do not understand

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial