RV042 - port forwarding to host over VPN?

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by joe660, Sep 23, 2006.

  1. joe660

    joe660 LI Guru Member

    Does anyone know if it's possible to make an RV042 port forward or DMZ-host to an IP address that is on the remote side of a VPN connection?

    Here's the scenario:

    1. use fast ISP with black listed IPs at office with RV042 as FW
    2. put RV042 co-located at an ISP with clean IPs
    3. have office RV042 VPN to the co-located RV042 (Gateway to Gateway)
    4. Setup DMZ-host or port-forwarding on co-lo RV042 send the traffic to an IP on the LAN at the at office (ie in at the co-lo RV042, over VPN to RV042 at office, to IP on LAN there).

    Obvious problem: the UI requires the DMZ IP address and port forwarding targets to be IPs in the LAN subnet. I tried to circumvent this by making VPN subnet a subnet of the LAN subnet of the co-located RV042. The routing table even shows an entry for the sub-subnet to go over the ipsec port. Unfortunately, it doesn't seem to work.

    Anyone know if I"m wasting my time on this (e.g. the rv042 just dumps the port forwarding traffic out the LAN ports regardless of a more specific match in the routing tables?)

    Thx in advance.
  2. pablito

    pablito Network Guru Member

    I don't exactly understand what you are trying to do. VPN basic rule: Any IP not configured as part of the VPN won't be allowed on the VPN. Even with a routing entry it gets stopped at the first end point that isn't config for that IP subnet. You either need to include that subnet in the VPN spec (or additional tunnels) or proxy that part of the traffic so it appears to be on an allowed subnet (port forward/DMZ doesn't do that).

    Is this for additional subnets or a public IP coming in one side trying to get to a server over the VPN? It can certainly be done but not by direct routing if the IP is random.
  3. joe660

    joe660 LI Guru Member

    thanks. Pardon the lack of detail. Here's clarification:

    Simple case:

    1. the co-lo router has one static IP on WAN1 - I would like it to forward+NAT all requests addressed to that IP to a host with a private IP on the other end of a VPN tunnel.

    Oh, I think I realize the problem here - forwarding traffice to all ports means the VPN traffic itself is forwarded - d'oh! However, I think I tried forwarding just one port with no luck (not blocked by co-lo ISP either).

    More intresting case:

    My RV042s WAN ports plug into switched networks. I'd really like have it proxy-arp for some public IPs (dmz or VPN accessible). Give a small number public IPs this seens to save additional IP losses by more subnetting.

    From what you said, it sound like that if get the WAN ports connected as a proper router (ie all traffic for 1 or more subnets goes to its WAN or LAN ports, not just the WAN port IPs) it sounds like the RV042 should be able to further send them down a VPN matching.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice