cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4873
Views
0
Helpful
6
Replies

RV042 Gateway to Gatway VPN with 1 to 1 Nat issue

spacetrance
Level 1
Level 1

I'm having an issue with routing VPN traffic through the VPN with public IP addresses used on each side.

Router is in Gateway Mode
"Multiple Subnets" and DMZ are both disabled

Network setup:

Lan Network: 192.168.2.0
LAN IP: 192.168.2.3
Wan Interface: 77.77.77.42
ISP side of WAN segment 77.77.77.41

My side:
Server: 192.168.2.2
One to One nat: 77.77.77.44 => 192.168.2.2


Other Side:
Gateway: 99.99.99.4
Server: 99.99.99.103

VPN Gateway to Gateway:

Local Group: 77.77.77.44 / 255.255.255.255

Remote Gateway: 99.99.99.4

Remote Group (IP Address): 99.99.99.103

Nat Traversal is On

Connection established without any problem.

Problem is when I traceroute from server 192.168.2.2 to the remote group computer traffic goes out through the internet. It is as if the router is completly ignoring the vpn tunnel. The RV042 will only allow me to setup static routes and bind to interface WAN1, WAN2 or LAN.

I am connecting to a ASA 5510 on the other side.

Routing Table:

Destination IP   Subnet Mask      Default Gateway    Hop Count    Interface
 
99.99.99.103   255.255.255.255    77.77.77.41               35        eth1
77.77.77.40     255.255.255.248     *                     0         eth1
192.168.2.0     255.255.255.0       *                     0         eth0
default          0.0.0.0          77.77.77.41               40        eth1


Obviously from looking at the routing table and watching the traceroutes I can see the problem. Router is sending 99.99.99.103 to ISP side of Wan connection, instead of through VPN. WHY?

Question is: why isn't the router picking up on the ip address in the VPN setup and sending that data throught the tunnel? Is the RV042 not able to route public IP addresses through IPSEC tunnel?

Debug on other side show:
Group = 77.77.77.42, IP = 77.77.77.42, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 77.77.77.44/255.255.255.255/0/0 local proxy 99.99.99.4/255.255.255.255/0/0 on interface outside

6 Replies 6

spacetrance
Level 1
Level 1

Also if I add rule to block traffic to the one to one nat address, everything still comes to server... RDP, ICMP... everything. Even if I setup a deny ALL services from Source WAN1 to 77.77.77.44 from ANY ip address...

Doensn' make sense to me, seems like I have a basic config option wrong or router is hosed....

spacetrance
Level 1
Level 1

Found the problem.

1) VPN should be setup with local network address and not local host address.

2) RV042 does NOT support 1 to 1 NAT within VPN tunnel. We have to upgrade to 500 series. It supported 1 to 1 and VPN but they do not work together.

Sent from Cisco Technical Support iPhone App

Richard,

Correct -- if you're looking for a device that will NAT through vpn then you should look at the ASA55xx device The SA500 series devices don't support NAT through Tunnel.

Jasbryan

Support on the phone said that the SR520 supports 1to1through VPN. I hope that is correct because I have already purchased product and configured product. I will be installing on monday the 26th.

Sent from Cisco Technical Support iPhone App

Dear Jones,

Please, have you ever sucess using SR520 in your enviroment? Does SR520 support 1to1 through VPN?

Regards

Yes the SR520 allowed me to establish a VPN connection and the other end could communicate to the 1 to 1 natd address!!!