1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

RV042 - RV042 Site-Site VPN Settings

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by fred3, Apr 21, 2007.

  1. fred3

    fred3 Network Guru Member

    I'm back at it and need to know how to configure a pair of RV042 (well actually 4 of them).
    2 RV042 at each site.

    #1 connected to the internet directly on WAN1
    #1 Set up for DMZ.
    #2 WAN1 connected ti #1 DMZ port
    each has it's own public IP address.

    The other site looks the same.

    #2 at each end will be the VPN device.
    I want to configure the firewall on #2 to block everything but VPN traffic and I'm trying to figure out what has priority inside the RV042.
    The IP addresses look like this.

    ***Site 1
    Public IP addresses:
    111.111.111.1
    111.111.111.2

    RV042 #1
    WAN1 111.111.111.1
    DMZ 111.111.111.2

    RV042 #2 VPN device
    WAN1 111.111.111.2
    LAN 192.168.1.1
    255.255.255.128

    Site #2
    Public IP addresses:
    111.111.111.3
    111.111.111.4

    RV042 #1
    WAN1 111.111.111.3
    DMZ 111.111.111.4

    RV042 #2 VPN device
    WAN1 111.111.111.4
    LAN 192.168.1.129
    255.255.255.128

    So, how do I set up the firewall in #2 at each end to block all traffic except for the VPN?

    Here's one guess:
    Allow All Traffic / Source WAN1 from public IP at the other site to public IP at this site.
    Allow all Traffic / Source LAN from LAN IPs at this side to LAN IPs on the other site.
    Deny all traffic otherwise.

    I figured that anything incoming on the VPN would have to be incoming to the VPN device public IP address. This assumes the firewall works on VPN packets (as part of all packets) before the VPN does its job of untangling them.

    I figured that anything outgoing from the LAN would have to be coming in to the VPN device before the VPN packaged things up, so the IPs in the firewall setting would be the local ones.

    Is this right or should I be doing it differently?

    An alternate view would be that the VPN does its job first - but that seems less likely.....

    Thanks
     
  2. fred3

    fred3 Network Guru Member

    Here's a simpler version of the question:

    I'm working to set up a VPN between sites using RV042 at each end. I've set
    up a "lab" that emulates a simple version of the intended setup as follows:

    Site 1 / LAN1: Site 2 / LAN2:
    192.168.1.192 192.168.1.128
    255.255.255.192 255.255.255.224
    i.e. .193-.254 i.e. .129-.158

    LAN 1 host 1: LAN 2 host 2:
    192.168.1.213 192.168.1.137
    gateway: 192.168.1.198 gateway: 192.168.1.157

    RV042#1 RV042#2
    LAN LAN
    192.168.1.198 192.168.1.157
    255.255.255.192 255.255.255.224
    WAN1 WAN1
    223.111.2.009 223.111.2.008
    255.255.255.248 255.255.255.248
    - internet-
    (emulated by a hub)
    So, there is one computer on each LAN that points to the RV042 LAN interface as its gateway.

    The RV042s connect directly using the WAN1 ports using their assigned public
    internet addresses through a hub.
    That's about as simple as one could make it.

    There are complementary tunnels set up in each of the RV042s that identify
    both LAN ranges and both public IP addresses of the RV042s.

    The VPN tunnel doesn't "connect" even under these simple circumstances.
    So, I'm looking for typical RV042 setups that *do* work as I must have done
    something wrong. I just can't figure out what it might be! Is there
    anything obviously wrong above?

    The LAN IP ranges are different so that traffic on one LAN can be routed to
    the other LAN through the VPN when the time comes. In the mean time, I just need to make the VPN work.

    Any suggestions or pointers to URLs appreciated.

    Fred
     
  3. fred3

    fred3 Network Guru Member

    Maybe this will be easier to read:
    Site 1 / LAN1: ...........Site 2 / LAN2:
    192.168.1.192 .......... 192.168.1.128
    255.255.255.192 ....... 255.255.255.224
    i.e. .193-.254 ............i.e. .129-.158

    LAN 1 host 1: ................LAN 2 host 2:
    192.168.1.213 ...............192.168.1.137
    gateway: 192.168.1.198...gateway: 192.168.1.157

    RV042#1 .......................RV042#2
    LAN...............................LAN
    192.168.1.198.................192.168.1.157
    255.255.255.192..............255.255.255.224

    WAN1.............................WAN1
    223.111.2.009..................223.111.2.010
    255.255.255.248.............. 255.255.255.248
    ......................- internet-
    ..................(emulated by a hub)
     

Share This Page