Cisco RV320 and EZ VPN issues

I have an offsite location that needs two time clocks connected back to our home location. Normally for offsite locations I install an ASA, set up EZ VPN on it with a few commands and everything is good to go. Since this is a small footprint I didn't want to install an ASA there. I purchased a Cisco RV320 VPN router because I read in the description it's capable of running an Easy VPN setup.

After receiving the device and talking to small business TAC they told me the only way the RV320 can connect to my home firewall (ASA 5520) is through a "gateway to gateway" VPN which seems a lot more complicated.

From that conversation and researching a bit I've deduced the "Easy VPN" the RV320 is capable of running is only from Client machines back to the router while the EZ VPN I run from ASA to ASA is different somehow.

Question Number 1: Is there an actual difference between "EZ VPN" and "Easy VPN" or have I misread something? Number 2: If there is a difference then are there any small business devices that can use "EZ VPN" as a means to connect back to my ASA?

EZ VPN setup link I normally use: http://www.jump.net.uk/blog-cisco-easy-vpn-on-asa

Easy VPN setup link for the RV320: https://supportforums.cisco.com/t5/small-business-support-documents/configure-easy-client-to-gateway-virtual-private-network-vpn-on/ta-p/3172906
travisryanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
I agree, given your description, that site to site would be easier and better overall. I assume your offices have static IP addresses.

For client access, I always use NCP Secure Entry as it is a more flexible and robust client application. EZ VPN was always a problem wherever we tried to use it.
0
travisryanAuthor Commented:
John, this remote site does have a static address but other remote sites do not. This is exactly one of the features I like about EZ VPN as it doesn't matter on the "client" (read ASA/router) side if its static or dynamic.

As far as NCP Secure Entry, this looks like a third party VPN client for PCs and mobile, I'm looking for a solution to create a VPN tunnel between the Small Business Router and a Firewall.
0
JohnBusiness Consultant (Owner)Commented:
NCP works fine into a dynamic IP address.
I use  it myself this way.

If the remote site does not change except every year or so, you can treat it as static. I do this also
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

travisryanAuthor Commented:
John, I think we're having a miscommunication. My two questions were about two Cisco devices and how to connect via site to site VPN.

I believe I've sussed out the answer to my first question: Cisco Easy VPN refers to a piece of software to allow clients to connect into a firewall whereas Cisco EZ VPN refers to a method via commands on two ASA Firewalls or Routers to connect them via Site to Site VPN. Why they would use such close terminology for things that are not the same but similar is frustrating to me.

My second question still eludes me, I'm curious if there's another device in the Cisco family of Small Business Routers that supports the EZ VPN method of creating a site to site VPN with a Cisco Firewall.
0
JohnBusiness Consultant (Owner)Commented:
I do both Site to Site and Client to Site. So I addressed both,

You can set up an IPsec VPN tunnel in the Cisco ASA and then set up a mirror tunnel in the Cisco RV 320. I do this now with a Cisco RV325 (same machine).

The only thing is that the address of the remote site should stay fixed for a reasonable period of time
0
travisryanAuthor Commented:
Do you have the RV 325 using a Gateway to Gateway VPN to connect to the ASA?
0
JohnBusiness Consultant (Owner)Commented:
No. I connect to another Cisco RV or two and then Juniper.

Here is the list of settings.

Description
Tunnel Number 5
Interface on Router WAN 1
Enabled

Local Gateway Type: IP Only
(External) IP address
Local Security Group type: Subnet
192.168.000.0
255.255.255.0

Remote Gateway Type: Dyn IP + Email  (or what you need)
Remote IP address or email address  (these two are likely IP for you)
Remote Security Group type: Subnet
192.168.222.0
255.255.255.0

Keying Mode: IKE Pre-share
Phase 1
Group 2
3DES
SHA1
28800 Sec.
PFS OFF

Phase 2
Group 2
3DES
SHA1
3600 Sec.
Pre-shared key

Advanced
Main Mode (for site to site)
Compress OFF
Keep Alive ON Default
AH Hash (MD5) I have OFF
NetBIOS OFF
Nat Traversal ON or OFF whichever works
0
travisryanAuthor Commented:
Hopefully you can help me, I'm following this guide: https://sbkb.cisco.com/CiscoSB/GetArticle.aspx?docid=7200e3b590e443af8f27a1ca957705ba_Configuring_a_Site_to_Site_VPN_tunnel_between_RV_Series_Rout.xml

But my topology isn't as simple as the example given. I need to connect a time clock at a remote site (with no VPN capabilities of it's own) with a server at my main office. Here's my topology:

Time clock IP: 10.2.1.5 -> RV 320 inside lan ip: 10.2.1.1 ->RV 320 WAN ip: 173.100.10.1 -> Internet -> ASA 5520 Outside IP: 72.10.10.1 -> ASA Inside IP: 10.255.1.1 -> Main Switch VLAN 255 IP: 10.255.1.3 -> Main Switch VLAN 1 IP: 10.1.1.1-> Time Clock server: 10.1.1.5

How would I configure this on the RV 320 to get from 10.2.1.5 to 10.1.1.5?
0
JohnBusiness Consultant (Owner)Commented:
Time clock IP: 10.2.1.5 -> RV 320 inside lan ip: 10.4.1.1  <-- I keep everything on the same subnet. Can you put the clock on 10.4 ?  If not, you are going to have to create a wider range in the RV320 and I have not done this.
0
travisryanAuthor Commented:
Apologies, I edited it to correct it.
0
JohnBusiness Consultant (Owner)Commented:
You need to allow subnets internally at each end as my example shows. Once the tunnel is connected, you should be able to address the devices by IP address if necessary
0
travisryanAuthor Commented:
Which remote subnet do I need to put in my config? 10.255.1.0 or 10.1.1.0? Or do I need both?
0
JohnBusiness Consultant (Owner)Commented:
10.2.1.x on the RV320 end and then it appears you have set up the other end already.
0
travisryanAuthor Commented:
In your example you use:
 "Remote Security Group type: Subnet
192.168.222.0
255.255.255.0"

Eventhough I need to get to the remote subnet 10.1.1.0, I need to travel through 10.255.1.0 to get there. Which one do I need to put in?
0
JohnBusiness Consultant (Owner)Commented:
The first address is the IP Subnet and the second is the Subnet Mask. You need both.
0
travisryanAuthor Commented:
Maybe I'm misunderstanding. In your example:

Local Gateway Type: IP Only
(External) IP address
Local Security Group type: Subnet
192.168.000.0
255.255.255.0

Remote Gateway Type: Dyn IP + Email  (or what you need)
Remote IP address or email address  (these two are likely IP for you)
Remote Security Group type: Subnet
192.168.222.0
255.255.255.0

For my example it would be:

Local Gateway Type: IP Only
(External) IP address: 173.100.10.1
Local Security Group type: Subnet
10.2.1.0
255.255.255.0

Remote Gateway Type: IP only
Remote IP: 72.10.10.1
Remote Security Group type: Subnet
(10.1.1.0 OR 10.255.1.0)?
255.255.255.0
0
JohnBusiness Consultant (Owner)Commented:
The first (RV320 end) is correct. The other end you need to pick one subnet.
0
travisryanAuthor Commented:
My question is: Which one do I pick? Can I just pick 10.1.1.0 because that's my end goal? Or do I need to include 10.255.1.0?

After thinking about it I think the answer is 10.1.1.0 because if a request hits my ASA, my ASA knows to route through the 10.255.1.0 network to get to the 10.1.1.0 network. I was just looking for confirmation.
0
JohnBusiness Consultant (Owner)Commented:
Yes. Pick 10.1.1.x as that is your target.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
travisryanAuthor Commented:
This was the correct way to set things up.
0
JohnBusiness Consultant (Owner)Commented:
You are very welcome and I was happy to help you with this.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.