Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1133
Views
5
Helpful
7
Replies

RV320 as Router SBS2011 as DHCP Server and using IPSEC

Go to solution
refrainfrombeinglame
Level 1
Level 1

‎03-12-2015 05:43 AM

Our company is really interested in acquiring a Cisco RV320 VPN-router as a replacement for our old insecure PPTP-only VPN-router. Before actually acquiring the router there are some questions i would like to have answered.

In our current setup we have a SBS2011 standard Server that is used as a DHCP-,  DNS-, Exchange- and SMB server for our company network, all devices function within the same (192.168.0.1/24) network.
We would like to add the RV320 to our network in order to allow employee's access to the company network when they're at home or on the road using IPSEC VPN (client to site).

In our current setup we use (or used) a VPN-router and allowed VPN clients to acquire a IP-adress from the PPTP-server, those IP-adresses fell within a range that the SBS2011 DHCP-server was exempted from handing out. It was pretty simple actually

How can we setup the RV320-router in such a way that there won't be any conflicts between the RV320 router and the SBS2011 server in regard to handing out IP-adresses to IPSEC VPN clients?

Can we configure the RV320 to forward DHCP-requests tot the SBS2011 server?  We want all clients (including IPSEC VPN clients to fall within the same network).
Can this be done by simply using the DHCP-relay option (in the web-interface) and entering the IP-adress of the SBS2011 server?

Should we disable DHCP on the RV320-router, or is there another way to keep using the SBS2011-server as the DHCP-server while still allowing IPSEC VPN client-to-site to access our local network?

Thanks in advance

 


 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
cchamorr
Level 5
Level 5

‎03-12-2015 10:28 AM

Hello and thank you for considering Cisco for your networking needs.

First of all I understand that you are used to work with the PPTP connection and now you want to move to a more secure IPSec connection.

Thats a great idea, but there are a few things to consider:

1- The RV320 supports the IPSec VPN via the Cisco VPN Client 5.0, that you can download from the Cisco website only if after you purchase a contract for the router. 

The contract will set you back around $70 depending on where you decide to purchase it but it has several features including 3 years of 24/7 phone support and guaranteed Next Business Day Replacement if the unit becomes unresponsive, it also allows you to download special software as the Cisco VPN Client.

2- For the client VPN connection, you can't nor you need to try and relay the DHCP request to anything, the router will handle it and it will be probably on a different subnet than your LAN but it will allow you access to any devices on the network.

3- If you don't want to purchase the contract, then you can still use PPTP from the RV320 and it will give you the same access you are already used to.

I hope this was helpful, please let us know if you have any more questions.

View solution in original post

0 Helpful

Go to solution
cchamorr
Level 5
Level 5
In response to refrainfrombeinglame

‎03-12-2015 01:57 PM

Hello, 

I want to answer your questions:

1-  If i understand correctly, the router wil assign the VPN clients a IP-adress. Yes

2- What isn't yet clear to me is the 'different subnet' part of you're answer: does it require me to simply  configure the router to use - for instance - the 192.168.2.1/24 range when the LAN uses the 192.168.0.1/24 range? No really. When you enable the router and configure it for IPSec VPN access, by default it will provide IP addresses on the 172.16.100.100. This doesn't mean the router needs to have DHCP enabled, even if disabled it will still provide IP addresses for Remote clients.

3- And if i understand correctly, there will then be two DHCP Servers present on the LAN the RV320 and our SBS2011 this will surely cause problems?? Now, I'm not sure you will need to leave the DHCP server enabled on the router, to answer this question I need to know if you will be using VLANs or not. If you won;t be using VLANs but will have all of your devices on the same subnet then you can disable the DHCP server on the router, otherwise you will need to leave it enabled.

To make it easier to understand, here is a link to the emulator for this device:

https://www.cisco.com/assets/sol/sb/RV320_Emulators/RV320_Emulator_v1.1.0.09/default.htm

I hope this was clear, but if you have any more questions, please let us know.

 

 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
cchamorr
Level 5
Level 5

‎03-12-2015 10:28 AM

Hello and thank you for considering Cisco for your networking needs.

First of all I understand that you are used to work with the PPTP connection and now you want to move to a more secure IPSec connection.

Thats a great idea, but there are a few things to consider:

1- The RV320 supports the IPSec VPN via the Cisco VPN Client 5.0, that you can download from the Cisco website only if after you purchase a contract for the router. 

The contract will set you back around $70 depending on where you decide to purchase it but it has several features including 3 years of 24/7 phone support and guaranteed Next Business Day Replacement if the unit becomes unresponsive, it also allows you to download special software as the Cisco VPN Client.

2- For the client VPN connection, you can't nor you need to try and relay the DHCP request to anything, the router will handle it and it will be probably on a different subnet than your LAN but it will allow you access to any devices on the network.

3- If you don't want to purchase the contract, then you can still use PPTP from the RV320 and it will give you the same access you are already used to.

I hope this was helpful, please let us know if you have any more questions.

0 Helpful

Go to solution
refrainfrombeinglame
Level 1
Level 1
In response to cchamorr

‎03-12-2015 01:23 PM

Hello cchamorr,

Thank you for replying this quickly and providing additional information regarding the Cisco VPN client and optional contracting options.
 

It's clear to me now that i shouldn't use DHCP relaying in order to keep the network functioning properly in conjunction with the RV320. If i understand correctly, the router wil assign the VPN clients a IP-adress.

What isn't yet clear to me is the 'different subnet' part of you're answer: does it require me to simply  configure the router to use - for instance - the 192.168.2.1/24 range when the LAN uses the 192.168.0.1/24 range? 

And if i understand correctly, there will then be two DHCP Servers present on the LAN the RV320 and our SBS2011 this will surely cause problems??

Or does the DHCP Server within the RV320 only work with the VLAN created by the router and not the local LAN? thus preventing any problems with conflichting DHCP servers / IP-adresses.







 

0 Helpful

Go to solution
cchamorr
Level 5
Level 5
In response to refrainfrombeinglame

‎03-12-2015 01:57 PM

Hello, 

I want to answer your questions:

1-  If i understand correctly, the router wil assign the VPN clients a IP-adress. Yes

2- What isn't yet clear to me is the 'different subnet' part of you're answer: does it require me to simply  configure the router to use - for instance - the 192.168.2.1/24 range when the LAN uses the 192.168.0.1/24 range? No really. When you enable the router and configure it for IPSec VPN access, by default it will provide IP addresses on the 172.16.100.100. This doesn't mean the router needs to have DHCP enabled, even if disabled it will still provide IP addresses for Remote clients.

3- And if i understand correctly, there will then be two DHCP Servers present on the LAN the RV320 and our SBS2011 this will surely cause problems?? Now, I'm not sure you will need to leave the DHCP server enabled on the router, to answer this question I need to know if you will be using VLANs or not. If you won;t be using VLANs but will have all of your devices on the same subnet then you can disable the DHCP server on the router, otherwise you will need to leave it enabled.

To make it easier to understand, here is a link to the emulator for this device:

https://www.cisco.com/assets/sol/sb/RV320_Emulators/RV320_Emulator_v1.1.0.09/default.htm

I hope this was clear, but if you have any more questions, please let us know.

 

 

0 Helpful

Go to solution
refrainfrombeinglame
Level 1
Level 1
In response to cchamorr

‎03-12-2015 02:45 PM

cchamorr,

I think i get it now:

The DHCP server built in to the RV320 (under the DHCP tab in the WebiF) doesn't govern the IPSEC-VPN clients, those are provided IP-adresses in the 172.16.100.100 range (this 'virtual ip range' can be edited by clicking on "summary" under the "VPN" tab).

The DHCP server that is built-in to the RV320 governs the VLAN's and can be disabled when VLAN's arent used.

Am i correct?

Two more quick questions:
1. In theory i would be able to edit the Virtual IP Range so that IPSEC-VPN-clients are given a ip within the 192.168.240-192.168.0.250 range, right?

So this wouldn't be that different from the VPN PPTP-server we used which handed out adresses within a range that is excluded from assignment by our SBS (DHCP) server.


2. As you might have noticed i'm no network engineer, nor have i had any formal training or schooling in IT, i'm just combining my normal work with being a system administrator since no one else is within the company is, and our IT needs improvement.
That being said:
Does the contract you wrote about earlier include help configuring it, just in case i run into problems i'm not able to solve on my own?

Thanks, you've been more then helpful so far.




 

0 Helpful

Go to solution
cchamorr
Level 5
Level 5
In response to refrainfrombeinglame

‎03-12-2015 03:11 PM

Hello, 

You understood everything perfectly.

In regards to your questions:

1- No, on this router you will have to use a different range from the subnet you are using on your LAN, but, again, there is no problem as the router will allow any traffic coming from the VPN onto your LAN even thou the IP addresses are on different subnets

2- You are doing a great job, there is a lot of people that work on IT and get very lost on all this concepts.

Now, to be very clear, when you buy the device, even without a contract, Cisco will give 1 year of free phone support for configuration questions. You can get support MOn-Fri 9 to 6 your local time. The contract will improve on it extending the support for 3 years and making it 24/7. Also, it will allow you to get the Cisco VPN client.

Let us know of any other questions you may have, that's what we are here for.

 Now, if I have answered your question correctly and it was helpful to you, please remember to mark the answer as correct so that other members can benefit from it.

Go to solution
cchamorr
Level 5
Level 5
In response to cchamorr

‎03-12-2015 03:16 PM

Thank you for taking the time to rate the answer.

Again, don't hesitate to post any questions you may have, we are here to help.

0 Helpful

Go to solution
refrainfrombeinglame
Level 1
Level 1
In response to cchamorr

‎03-12-2015 03:22 PM

cchamorr,

You've anwsered all questions that i have in regard to the RV320, i've marked the most helpful answers as correct.

I will now inform my boss that we need to go ahead and purchase a Cisco RV320.

Thanks once more  :)

0 Helpful
Customers Also Viewed These Support Documents