1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

RV042 tunnel to pix with mutiple remote subnets

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by pspears, Aug 1, 2006.

  1. pspears

    pspears LI Guru Member

    Hello I have a tunnel from a Linksys RV042 to a pix 525. I cannot figure out anyway to configure or hack the linksys to allow me to connect to multiple remote subnets behind the pix. I can only create one tunnel to the pix. I can go in and change the remote subnet in the vpn config to the other subnet and it works fine also. This is a limitation of the web configuration gui I believe. Does anyone know of a fix for this problem? My remote subnets are 192.168.50.x/30 and 10.1.1.x/30 so they are not in a nice little range like linkys exptects.:mad:

    Also I'm running the latest beta v1.3.7.9

    Thanks for any help anyone may offer.
    Paul
     
  2. TazUk

    TazUk Network Guru Member

    Does creating multiple tunnels, i.e. one for each subnet, work?
     
  3. jgutz20

    jgutz20 Network Guru Member

    shouldnt the PIX firewall be able to link the 2 subnets? meaning once you connect to 192.168.X.X network, you should still be able to connect to the 10.1.1.X network. possibly a static route you could setup.
     
  4. pspears

    pspears LI Guru Member

    The linksys will not allow me to create multiple tunnels to the pix. Ip+Fqdn complains that a tunnel alread exists. Also the pix could allow that but they are two seperate networks on two seperate physical interfaces on the pix. I.e they shouldn't be able to talk to each other at all. Only the Tunnel traffic has permission to talk to both networks. I can simply change the remote subnet on the linksys and can then talk to the other network after reconnecting.. There just isn't a way to add 2 remote subnets in the web interface. I have telnetd running but havne't found a way to do it there either. I'm also open to another firmware if anyone has any suggestions. Also dos anyone know if the new RVL200 has this same limitation. This is a fairly common practice on a corporate network. I have never ran across a vpn device that coulnd't talk to multiple remote networks if the perms are setup properly.
     
  5. Toxic

    Toxic Administrator Staff Member

    I think DocLarge should be able to answer this one as he has some experience with VPNs and the PIX
     
  6. DocLarge

    DocLarge Super Moderator Staff Member Member

    I'm a little new to PIX vpn technology (but constantly improving :) )so my initial thoughts are are you using a different router for each of the subnets you want a different tunnel to or is this some sort of VLAN configuration?

    My initial thoughts from reading what you're trying to do is that you'd require a separate router for each subnet, followed by port forwarding from the PIX to those subnets; you'd most likely have to use the "fixup protocol [port] [protocol] command.

    This is my first thought after looking at your request. I'm going to PM Eric_Stewart because he's an accomplished CISCO guy and may see this from a better perspective...

    Doc
     
  7. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Hmmm. This *is* a tough one. The RV042's VPN GUI is mostly common with the other Linksys VPN routers. Common *and* deficient though, to be honest, I've only configured the Linksys boxes in scenarios where they've only been connecting to one "inside" network at the remote end.

    Thinking out loud about this one, I was wondering if you could set up one tunnel on the PIX's FQDN and another one on the PIX's IP address to fool the Linksys into thinking that they are two different remote gateways but you can't do this anyway. The reason is that on the PIX you check a box if you're using the GUI which GLOBALLY sets up whether the PIX will advertise its identity as its FQDN *or* its IP address. In the CLI, this is the "isakmp identity [address | FQDN]" command.

    I wonder if, on the remote network, you could set a gateway up behind the PIX that essentially source routes the packets from your Linksys. The source address of all the packets from the Linksys VPN peer will be the single inside subnet behind *it*. You could set the VPN up to protect the one inside network on the remote peer...say the 192.168.50.x/30 network... then (additionally) the inside gateway could forward packets to your 10.1.1.x/30 if they come from the network that is protected by the Linksys.

    The other possibility (not knowing your exact layout) is to NAT the 192.168.50.x/30 network to an address on the 10.1.1.x/30 network or vice versa.

    <-------->PIX <----------------> Inside G/W <------------>
    __WAN_________192.168.50.x/30___PAT_______10.1.1.x/30
    _______________________________<----x

    The final thought (but I think you kiboshed it) is to renumber your internal subnets onto contiguous address space so you can get fancy with the net masks for the protected networks.

    Unfortunately there is no 3rd party firmware for these Linksys VPN routers so you will have to be creative!

    /Eric
     
  8. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Just thought of something else. I was thinking linearly, but I wasn't thinking laterally:

    I think your solution *is* NAT or PAT on the PIX. For example, if the 10.1.1.x/30 subnet is your DMZ, and the 192.168.50.x/30 subnet is your inside network, you could NAT your inside addresses to the DMZ (probably PAT, actually with that tiny subnet). Because the traffic is going from a higher security level to a lower security level the translations will be allowed to progress as long as you have no ACLs to prevent this. Similarly, you could create some static translations (probably port forwarding) and access lists to get the traffic into your inside net that originated from the DMZ...the access lists would simply need to permit anything with source address your Linksys' internal net. Statics and ACLs would *not* be required where the traffic that's coming back from the VPN addresses are replies to connections that *originated* from the inside network since the PIX is a stateful firewall and is keeping track of the translations in its NAT table.

    I added a little pic of what I mean to the post.

    /eric
     

    Attached Files:

  9. pspears

    pspears LI Guru Member

    That may work.. I'll check and let you know.

    I havent yet tested my static nats that I have already in place from the dmz to the inside network. I am currently allowing some traffic from the 10.x.x network over to my dmz which is the 192.168 network. I do have them nat'ed to represent 10.x.x addresses on the 10.x.x network. I'll test this tomorrow and let you know.. This is the only thing I see working unless they simply add this feature to the linksys. I ordered a pix 501 today just in case I can't get this going. Thanks for you suggestions. :biggrin:
     
  10. Tempest_Prime

    Tempest_Prime LI Guru Member

    I was able to get access to two remote subnets behind a PIX 506E with an RV042. I had both endpoints using their IP address (both units had static IP addresses) as the method of identification. I basically had to make two tunnels, one for each subnet. The only hiccup I ran into was the PIX barked at me because it was going to overwrite the PSK entry for the first tunnel. I used the same PSK for both tunnels, however, and it worked fine...

    EXCEPT!

    For some rediculous reason I can't ping through the PIX at all (ICMP is allowed and works fine for things not related to this particular tunnel such as another tunnel I have going out to a Netopia DSL router). I have no idea where the ICMP echoes are actually dying, but I'm able to do all kinds of other stuff such as telnet and RDP. This happens whether I have one tunnel, two, or even more. Weird, eh?
     

Share This Page