RV042 VPN - Allow External IP Access to an internal resource

Unanswered Question
Dec 15th, 2009
User Badges:

Hi all,


I've setup an RV042 at our office and have created a VPN to allow mobile workers to connect to our internal network.  We have a vendor who needs to ssh into an internal server, but I'm having trouble getting this set up.  The documentation suggested an "access rule" to allow traffic from our vendor's static IP address to the internal server, but when I tried it didn't work.


Supposing our WAN1 IP address is 1.1.1.1 the vendor's static IP address is 2.2.2.2, can anyone step me through setting up a carveout/hole in our VPN to allow the vendor to ssh into 1.1.1.1 from 2.2.2.2 and be directed to a specific computer in our network?  Any help would be fantastic!


Thanks!


(PS I'm on Firmware Version: 1.3.12.19-tm)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Alejandro Gallego Tue, 12/15/2009 - 23:00
User Badges:
  • Cisco Employee,

Want to make sure I am clear with what you have and trying to do.


Remote Site (Client)                                                       Your Site (RV042)

IP: 2.2.2.2                    =====> IPSec VPN =====>      IP: 1.1.1.1

Needs to connect via SSH                                             Server for SSH connection


Is this what you meant when you stated that you have set up VPN on the router?

If yes, and you only want them to connect to a specific box via SSH then the rule should be something like this:

allow (service) from 2.2.2.2 on WAN 1 to   [where "service" is SSH port 22]


But if the only reason the VPN was created is to allow your clients access the server via SSH, then a port forward may be a better choice. Forward port 22 for SSH to the server and create the allow rule the same as above.

I am curious to see why if you connect via VPN we are still not able to access the server via SSH, with or without the rule.

Please expand on your set up as much as possible.

blasty1010 Wed, 12/16/2009 - 07:53
User Badges:

Thanks for the quick response...  A bit more detail:


Our company runs a server and some printers inside our internal network that outside sales reps who travel need to be able to connect and print to.  We set up a VPN with the RV042 and allow the outside reps to connect through a VPN client (IPSecuritas) on their laptops.  This was pretty easy to set up with the RV042.


Separately from the outside sales reps who we completely allow into the VPN, we have a vendor that maintains our server who needs to be able to SSH directly into that machine.  We don't want to grant that company access to our entire internal network and in the past (with our previous VPN box) have created a "hole" that allows SSH connections from their static IP address and routes them directly to the server within our network.


What I'm looking for is some guidance on how to do this with the RV042.  Does this require port forwarding and an access rule?  Or something else altogether?


Thanks!


For reference, I've attached screenshots of what I have right now that's not working...

Te-Kai Liu Wed, 12/16/2009 - 08:18
User Badges:
  • Gold, 750 points or more

Before you add the allow rule to allow a given fixed ip (you have this part done), you might want to add a deny rule to deny all source ip accessing the target LAN ip.

blasty1010 Wed, 12/16/2009 - 10:48
User Badges:

I'm not sure I'm entirely understanding this...  Could you provide a bit more explanation since I'm a total newbie???


Sorry if I sound stupid, I'm just new to doing this myself and am trying very hard to understand how to implement the concepts...


Thanks again!

blasty1010 Wed, 12/16/2009 - 11:05
User Badges:

OK thanks, that makes perfect sense now.  I've attached screenshots of what I've got right now, but when the vendor tries to SSH to the RV042's WAN1 IP address, it just sits there and does nothing.  I looked at the log, and it looks like it accepts the connection then refuses it...


What should I make of this?


Thanks!

Te-Kai Liu Wed, 12/16/2009 - 22:08
User Badges:
  • Gold, 750 points or more

Would you please call the Small Business Support Center and provide your network topology and router configuration file so we can look further into this issue?

charlessimpson Thu, 05/10/2012 - 18:37
User Badges:

I have a us520, you wouldn;t happen to know the code for chaning this with the access list?