Solved: Re: RV340 VPN/LAN communication

josiah.hutson921 · ‎03-10-2021

Hello,

I recently setup a cisco RV340 VPN Router , i bought it for VPN Functionality, i was able to setup SSL VPN with cisco AnyConnect mobility client, the tunnel works i can reach the network with the vpn but I'm not able to ping any host only the IP Address for the default gateway 192.168.1.1 and i can ping 172.16.21.1./24, when connected on the vpn below is some additional details that can assist with troubleshooting the issue.

Public static IP Address: yes

WAN 1:dhcp

WAN2:static public ip address

Is the IP Address pingable: no

LAN Subnet: 19.168.1.0/24

VPN Subnet 172.16.21.1/24

Block Wan request: disabled

josiah.hutson921 · ‎03-11-2021

Thanks for the instructions but no host on the lan is reachable with ping , any other options we can explore

View solution in original post

balaji.bandi · ‎03-10-2021

You need to create a Access rule to allow VPN users IP range to connect LocalLAN IP address.

change the IP address as per your network ranges.

problem of being able to connect via VPN but then not being able to ping resources on your local network, what you need to do is add a firewall access rule, from your VLAN subnet to your VPN subnet. As shown below.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

josiah.hutson921 · ‎03-11-2021

can you confirm if my network setting has to be the same as shown in the
screenshot?, if so please specify which
subnet for vlan 1 and VPN subnet.

balaji.bandi · ‎03-11-2021

You can use any source interface example - test and advise.

source IP - VPN Subnet 172.16.21.1/24

Destination : LAN Subnet: 19.168.1.0/24

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

josiah.hutson921 · ‎03-11-2021

Thanks for the instructions but no host on the lan is reachable with ping , any other options we can explore

CristianDuc · ‎04-26-2021

Hello, I saw this post and I added the access rule has recommended but also in my case it didn't work.

I made a similar post by myself but unfortunately I hav't received any answer yet, in the forum I could read of many people having the problem to ping the VLAN from the VPN with RV340 series. Is there anybody who can post a simple example of a working configuration? Thanks a lot

josiah.hutson921 · ‎04-28-2021

Hello Cristian,

I didn't manage to get this solution verified on the rv340 series, instead i return this device and got a Cisco Meraki MX64. However after configuring the MX64 for L2TP VPN, i noticed the same issue on the device not being able to ping and devices on the lan, so i bulit a lab with the following configs below tested it and it worked, you can try this same format, let me know if you encounter any issues.

Lan SUBNET: 10.36.0.0/25

VPN SUBNET: 172.16.200.0/24

---------------------------

Firewall Rule

I used this SUBNET for the VPN on the firewall rule 172.16.200.0/32 --(Because on the VPN client it shows /32 subnet mask)

Allow > Protocol: Any SRC:172.16.200.0/32 SRC port: Any DST: 10.36.0.0/25 DST port: Any

--------------------------

Port forwarding

permit port forwarding on a single host machine for traffic you can do this for port 500 and 4500 to the host device you are trying to reach.

Desc: RemoteConnec Protocol:TCP Public port:500 LAN IP:X.X.X.X Local Port: 500 Allowed remote IP: Any

CristianDuc · ‎04-29-2021

Hi Josiah,

Thanks a lot for your feedback, I need at first to study a bit how L2TB VPN
works then I'll let you know if I can implement it in the rv340 series.

My Best
Cristian

nagrajk1969 · ‎05-10-2021

HI Josiah/Cristian

I dont know why it is so complicated to understand the network-routing aspects of your deployment....its like this..

PC(192.168.1.2/24)----(1.1)[ RV340-Gw ]wan1-dhcp====ssl-tunnel===={internet}====tunne;====(172.16.27.1)[AnyConnect-Client]

1. Your configs:

LAN Subnet: 19.168.1.0/24

- this subnet will be the default vlan-1 lan-subnet on the RV340...and the ipaddr on the vlan1 interface eth3.1 on RV340 would be 192.168.1.1/24

- Now ensure and its very important to confirm (although i think you would have configured as such), that the hosts connected to the lan-ports of RV340 (in vlan1) are confgured with the default-gw of 192.168.1.1......

- why am i saying this above is becos for the lan-hosts (in the ipaddr range of 192.168.1.x/24) to reach 172.16.21.0/24 network (which will be the ip-addr-range assigned to the SSL-VPN clients connecting to the R340-Anyconnect-SSL-VPN-server) they require to configure the default-gw as 192.168.1.1 mandatorily

2. Your-present-config on the AnyConnect-SSL-VPN-Server page:

VPN Subnet 172.16.21.1/24

- the above subnet is wrong....you should enter the value of subnet as 172.16.21.0/24...in the SSL-VPN-server page on RV340, incase its not already done so...

- Next if my assumption is right, in the AnyConnect-Server config page on RV340, you may have configured the default sslvpn-profile as "full-tunnel"....else if you have confgured a split-tunnel, then please ensure to configure the lan-subnet "192.168.1.0/24" in the split-tunnel list in the ssl-vpn profile config...

- this is important, incase you have not configured/enabled explictily the "split-tunnel" checkbox in the SSL-VPN-Default-Profile... then it means that the tunnel established by the AnyConnect-clients to RV340 will be a "full-tunnel"....meaning ALL traffic will flow thru the established ssl-vpn tunnel....

So in either case, whether its a full-tunnel or a spit-tunnel...follow the above points...AND

a) After the tunnel is established, you should be (and will be) able to communicated between the AnyConnect-Client and the Lan-Host-PC

Note: as mentioned above, ensure that the Default-Gw of PC1 is confgured with the ipaddr 192.168.1.1 (the lan-interface of RV340)...so to route traffic to 172.16.21.0/24 network....and vice-versa

And please kindly note, there will be NO requirement and you shoud not be configuring ANY FIREWALL/ACCESS RULES...THERE IS NONE REQUIRED....

josiah.hutson921 · ‎05-10-2021

Nagrajk1969,

I appreciate your input on the solution, regardless of the routing or subnet which i changed over the last 2 months, i got the same result, request timeout, their seems to be a production related issue on the RV340.

CristianDuc · ‎05-11-2021

Dear Josiah, Dear nagrajk1969,

thanks to your contributes I could solve the problem. My error was the gateway of the machine I was try to connect to using the VPN SSL.

I try to clarify for anybody else who's gonna read the post.

ADSL Modem on WAN: 192.168.1.1

RV345 on WAN: 192.168.1.10

RV345 on VLAN1: 192.168.2.1

My error was that I've setup the gateway of DVR (192.168.2.6) to 192.168.1.1 instead of 192.168.2.1. Once I switched to the right IP for the gateway I could established the connection with DVR using the SSL VPN.

Another mistake that I was doing testing the VPN connection was that I was try to ping a few access points with static IP of my internal network, as far as I know now, the access point doesn't have a gateway and that will explain why I can ping it from the VLAN but I can't do it from the VPN tunnel.

The more logic things to test the VPN connection would have been to try to ping a pc on the VLAN1 under DHCP, I don't know why I didn't do it before but anyway now it works fine. Maybe I was doing something else wrong...

Sincerely grateful,

Cristian