RV325 port address translation to (VPN) virtual IP address

j.hammel · ‎02-17-2015

Good day-

I have a relatively new deployment of an RV325. When configuring PAT from public IP address to inside device, I have no problem doing this to a device on the LAN of 192.168.x.x. I have accepted the default suggestion for virtual IP address for VPN clients to get 172.16.100.X. I'm trying to port forward from public IP address to a Virtual ip address on the VPN side, and get the following error (I go to setup > forwarding > pick traffic type and set 172.16.100.105 for the device to forward to) and get this error message:

This IP address should be in LAN or Multiple Subnet IP range.

Any suggestions? If we can port forward to LAN devices, I don't really see a reason why we can't forward to a device on the VPN side. Any input, suggestions would be appreciated. Thanks in advance...

:

cchamorr · ‎02-17-2015

Hello,

I'm assuming that you are talking about the range for the Easy VPN clients.

I'm trying to understand the point to create port forwarding to a device on a remote network when you are already connected to it via VPN.

In any case, in general terms, you cannot port forward to anything that is not configured on the LAN side of the router and using the IP address of the router as the Default Gateway.

The only way to enable Port Forward or any kind of services on the remote network is to configure that on the local router hosting those devices.

I hope this helps.

j.hammel · ‎02-18-2015

THanks cchamorr. I appreciate it. What we have here is a line of business app that traffic must come to/from the RV235 public IP address. When user connects in remotely via VPN and they send/receive data to/from the 3rd party, the outbound traffic TO the third party works fine. The RV235 is then sending inbound traffic on different ports to different clients. It's working fine doing this (NAT) to inside LAN client devices, but we cannot set up a NAT rule to the 172.16.100.X IP address that the VPN user is getting, so he does not get the inbound traffic coming from the third party. Conversely, if remote user tries to send to/from the third party with OUT going over VPN, then the outbound traffic is seen as coming from his personal public IP address which is not whitelisted at the third party site. I think we're forced for remote user to use VPN due the public IP whitelisting requirement. I might suggest to customer if user can remote desktop to a client device inside the LAN and then we can NAT to the inside LAN client IP and not need to NAT to VPN client IP of 172.16.100.X.

I welcome any input, questions, suggestions. Thanks much...

cchamorr · ‎02-23-2015

Hello,

I was trying to understand this but Im still a little lost as to what the issue is, in any case I think the problem is related to the fact that when remote users connect to the VPN they get an IP address in the range 172.16.100.x for traffic between the local and remote networks. Now, even if the remote users are already connected to the VPN, if they try to send traffic to the app from their location, the traffic appears to be coming from their own Public Ip address and it doesn't work.

If that is correct, and you are using the Easy VPN client, then I think the solution is to setup the connection as a Full Tunnel as opposed to a split tunnel.

A full tunnel will send all the traffic, even internet traffic via the tunnel and then out to the internet effectively showing the traffic coming from the IP address of the 325 even for the remote users.

Here is a document with the information about how to create the Full Tunnel on the router.

http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=595e165f533f4aba9a931fd6efd71427_Configure_Easy_Client_to_Gateway_Virtual_Private_Network__VP.xml&pid=2&respid=0&snid=3&dispid=0&cpage=search

Please try this and let us know if it helped.

cchamorr · ‎03-03-2015

Hello,

I just wanted to touch base with you to see if you were able to configure the full tunnel and if it worked for you.

Please let us know.