cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1514
Views
0
Helpful
10
Replies

rv042 as vpn behind Juniper SSG5 firewall

engtong84
Level 1
Level 1

Hi,

Due to various reasons, I need to configure a new RV042 behind a SSG5 firewall. All VPN connections is client to gateway.

Firstly, i tried doing a direct connection(bypassing the firewall), the quickVpn status says connect but I can't even ping the rv. I suspect is due to client own ip is 192.168.1.x and the gateway ip is also 192.168.1.10. How do I resolve this such that users can connect anywhere without having to worry about clash of ip?

Any advice on how to place the rv behind a firewall specifically a SSG5?

10 Replies 10

Tom Watts
VIP Alumni
VIP Alumni

Hi Vincent,

The Juniper device will have to support the appropriate VPN passthrough and likely need to have all applicable ports forwarding to the RV042.

Additionally, if that implementation is too sloppy, you may try to configure a DMZ client on the Juniper for the RV042 connection.

Also, if you have multiple IP block you may configure one to one NAT on the Juniper pointing to the RV042

I would recommend to give Juniper a call and ask them how to get the RV042 as a DMZ connection.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

engtong84
Level 1
Level 1

Hi Thomas,

Thanks for the quick reply, unfortunately we no longer have support for the juniper. I see what I can do from here.

Any idea on how to resolve connecting clients with conflicting ip ranges with IPSec? I would need to connect more than 5 users so pptp would be unsuitable.

If it's possible, change the RV0XX subnet to something more obscure such as 10.150.1.1. Almost all manufactured routers are 192.168.1.x or 172.16.1.x.

Otherwise you would need a connection that supports assigning IP address from the router when connected (as you mentioned, PPTP does do that).

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

engtong84
Level 1
Level 1

Before I get to the juniper part, I'm getting frustrated getting the RV VPN to work. Now the connection is straight wan then the RV, yet I cannot connect using quickVPN.

The weird part is I managed to get the connection going for awhile then it just stopped working during connection with the quickVpn hanging at verifying network and i cannot figure why. Checking the logs on the client, it says cannot ping gateway internal ip. Checking the RV logs shows that there is activty and connections. Isn't it supposed to be straight forward?

I switched off the RV firewall to no avail. The client is also checked that only windows firewall is on and all the relaxant ports are open.

I would appreciate any help or advice.

Hi Vincent,

From where are you testing the connection? And, what connection type are you testing it from?

If you want, send me a message with your public WAN IP and create an user for me  tom12345/tom12345 and I will test from my location.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Vincent, thanks for the message. I have connected from my home location using a Window 7- 64 bit computer on Charter ISP. I'm currently connected for 8 minutes at the time I'm writing this.

In unusual cases, I've seen customer's outbound connection to be the actual problem. A lot of times using product like Verizon hotspot or tether to a phone, these connections fail, either due to not enough upload or because the connection will drop the ESP packets. I've also seen on VERY RARE instance, routers on a LAN connection have the same behavior, but if you connect directly to the modem, everything works great.

The QVPN can fail for a lot of reasons aside connection oriented reasons, such as security. On Window 7 and Vista, the Window firewall must be enabled. On XP, the firewall disabled.

3rd party security software also makes particular problems, such as Norton and MCAfee services, also things like Panda software. Right now I am running AVG and it does not interfere with my ability to connect.

You may consider to try to reboot your computer in safe mode with networking, as it should load only core system components.

I hope this may help you some.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Hi Thomas,

Thanks for your help, somehow my connection seems to be working at the moment.

As im using the same laptop for testing, im sure its not a problem on the OS if i can connect sometimes.

If it's mobile tethering problem, it's going to be a problem as it's a popular way of connectivity here especially the users are on the go.

Any tools or advice or how can I track down the issue?

Thanks again for your help.

Vincent, it is good news to know if your computer can connect. It rules out the RV042 ISP connectivity. It rules out the RV042 ability to accept an inbound connection. It also rules out your computer's ability to connect since it works.

Saying this, I would assess what connections you are using. Typically, it is not supported if people are using air cards or tether technologies, satelite connection because they are unreliable in nature, but in addition, often uncontrollable as they are managed by 3rd party.

If you're tethering to a cell phone as an example, you may want to check the IP address your computer receives from this. It may be just an IP conflict. But ultimately it is hit or miss due to reliability if it is not conventional method of connectivity.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Hi Thomas,

Thanks for the help so far, after more troubleshooting, i've changed the client to shrewsoft VPN client, and I can connect properly now.

The next problem is that I can ping my rv internal ip which is 192.168.21.88 but I can't ping any other devices on the network. I've used the rv diagnostics ping and it's returning fine.

The rv used as a VPN box seems to be quite a handful...

Hi Vincent, assuming all configuration is good to go it is usually a LAN based issue. The most common issues I see

  • When using active directory, the group policy needs to change to allow the remote IP subnet
  • When using active directory, the inbound VPN connection needs to be set as private, not public
  • When connecting to Unix box, need to allow the IP routing of the remote subnet or remove the firewall
  • When connecting to a Windows Workgroup, the remote computer workgroup should match
  • When accessing Window computers, the Window firewall needs to be disabled
  • If you're unable to map a drive, need to remove Window firewall
  • 3rd party software such as Panda, Norton, McAfee will block ICMP message
  • 3rd party software such as Panda, Norton, McAfee view inbound connection from different subnet as a security risk

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: