1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

RV042 problem with DMZ port

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by egyvoip, Oct 13, 2006.

  1. egyvoip

    egyvoip LI Guru Member

    I have 2 linksys RV042 (side 1 & side 2)

    side 1: public IP ex: 134.xxx.13.54 -- Lan IP 192.168.1.1 -- a server connected to it's DMZ port with IP: 134.xxx.xxx.56

    side 2: public IP ex: 217.xxx.xxx.12 -- Lan IP 192.168.2.1

    both are in GW mode, firewall disable, side 1 remote (192.168.2.0-254), side 2remote (192.168.1.0-254), 192.168.1.xx ping 192.168.2.xx and reverse. VPN between both side working very good.

    The problem:
    side 2 (192.168.2.0-254) can reach DMZ (56) good, the problem is that server on DMZ can reach only Lan of side 1 (192.168.1.1) but can't ping those (192.168.2.0-254) while VPN is running.
     
  2. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    For each site-to-site (or GW-to-GW) VPN, the RV042 can protect only one *inside* network on the local end to one *inside* network on the remote end. I would be very surprised if you could get a box on the DMZ of one RV042 to talk to the private, inside network on the other side. Besides, this flies in the face of the logic of how a DMZ is supposed to work. A DMZ host shouldn't be able to inititate a connection to a more secure zone.

    Sidebar: Linksys's own weirdness:
    ----------------------------------
    That statement aside, the RV042 doesn't seem to work quite like that (ie: the security zone thing with DMZs) anyway. It seems that Linksys's idea of a DMZ is to separately protect the DMZ host against DoS attacks, not to protect the inside hosts from the DMZ host. For example, I can ping inside hosts fine from the DMZ where my mail server resides.

    Possible Solution
    ----------------
    Try creating an *additional* site-to-site VPN, but this time for the IP address of "Side 1's" DMZ host on the local side, and Side 2's 192.168.2.0/24 network for the remote. Of course, you'll want to do the same, but symmetric rules, for the Side 2 RV042. The RV042 might balk at this since it might not like you trying to create 2 VPNs between the same peers. Another Linsksy weirdness. If you find this to be the case, try changing your internal IP addresses so you can find a prefix mask that will allow *both* the DMZ and internal network to be protected by the VPN.

    Let us know what you find.....

    /Eric
     
  3. egyvoip

    egyvoip LI Guru Member

    It's Work now

    Thanks very much, it works now with following

    side 1: public IP ex: 134.xxx.xxx.54 -- Lan IP 192.168.1.1 -- a server connected to it's DMZ port with IP: 134.xxx.xxx.56

    side 2: public IP ex: 217.xxx.xxx.12 -- Lan IP 192.168.2.1

    both are in GW mode, firewall disable,

    VPN parameter
    side 1 Remote Gateway (217.xxx.xxx.12) local group (134.xxx.xxx.56) remote group (192.168.2.0-254),
    side 2 Remote Gateway (134.xxx.xxx.54) local group (192.168.2.0-254) remote group (134.xxx.xxx.56),

    Thank you again
     
  4. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Gr8! Check back to this forum lots!
     

Share This Page