Connect to an Existing Network When the SA540 Is Not the Default Gateway

Document

Sat, 07/09/2016 - 08:10
Apr 26th, 2016
User Badges:

Cisco Support Community

Article ID: 3355

Objectives

This document explains how to connect to a network when the VPN router is not connected to the default gateway for the network. This allows remote workers or teleworkers to connect to the corporate network without using the SA540 Security Appliance as the default gateway. The topology used to represent this scenario is as follows:

Applicable Devices

• SA540 Security Appliance

Connect to an Existing Network When the SA500 Is Not the Default Gateway

Set Static IP for Router 1 and Router 2

Step 1. Log in to the web configuration utility and choose Networking > WAN > IPv4 Config. Scroll down to the Internet IP Address area:

Step 2. Choose Use Static IP Address from the IP Address Source drop-down list.

Step 3. Enter your desired IP address for router 1 into the IP Address field. 

Note: Make sure the router 1 and 2 IP addresses are in the same network, this means the first three octets are the same.

Step 4. Enter your desired subnet mask into the IP Subnet Mask field.

Step 5. Enter your desired gateway IP address into the Gateway IP Address field.

Step 6. Enter your desired primary DNS (Domain Name Server) into the Primary DNS Server field.

Step 7. (Optional) Enter your desired secondary DNS into the Secondary DNS Server field.

Step 8. Choose Default from the Maximum Transmission Unit (MTU) Type drop-down list. Default MTU size is 1500.

Step 9. Choose Use Default Address from the MAC Address Source drop-down list.

Step 10. Repeat Steps 2-9 for router 2.

Configure IPv4 LAN and Setup VPN

Step 1. Navigate to Networking > LAN > IPv4.

Step 2. Choose None from the DHCP Mode drop-down list to disable the DHCP server.

Step 3. Navigate to VPN > VPN Wizard.

Step 4. Choose Remote Access from the Select VPN Type drop-down list.

Step 5. Check the Enable Cisco VPN Client check box.

Step 6. Choose a Connection Name and Pre-shared key that will be used as your connection name.

Note: In this example we will be using "example" as our connection name and pre-shared key.

Step 7. Choose Dedicated WAN from the Local WAN Interface drop-down list.

Step 8. Choose IP Address from the Local Gateway Type drop-down list.

Step 9. Enter your WAN IP address into the Local WAN's IP Address/FQDN field. 

Create IPSec Users for VPN use

Step 1. Navigate to VPN > IPSec Users through the GUI.

Step 2. Click Add to add a new IPSec User or click the pencil icon to edit a user that already exists.

Step 3. Enter a Username for the new user in the User Name field.

Step 4. Choose Standard IPSec (XAuth) from the Remote Peer Type drop-down list.

Step 5. (Optional) Check the Allow user to change password check box if you want to allow the user to change his/her own password.

Step 6. Enter your desired password in to the Password and Confirm Password fields.

Configure Dynamic IP Range for the VPN Router

Step 1. Navigate to VPN > IPSec > Dynamic IP Range through the GUI.

Step 2. Choose either Split Tunnel or Full Tunnel mode from the Tunnel Mode drop-down list. This determines if the final client will be able to access both the WAN and LAN networks from the same connection (split tunnel).

Step 3. Enter the start and end IP addresses into their respective fields to adapt the subnet range that can be assigned to the VPN clients. In this example we will accommodate 50 clients.

Setup VPN Network on the Remote Worker's PC

Step 1. Navigate to the Network and Sharing Center on the remote worker PC.

Step 2. Click Set up a new connection or network.

Step 3. Click Connect to a workplace to connect to the VPN.

Step 4. Click Next to continue to connect to the VPN.

Step 5. Click Use my Internet connection (VPN) to connect to the VPN.

Step 6. Enter the connection name in the Connection Entry field.

Step 7. Enter the description of your connection into the Description field.

Step 8. Enter the host IP address into the Host field.

Step 9. Click the Group Authentication radio button.

Step 10. Enter your username into the Name field.

Note: The username is the username you set up in Step 7.

Step 11. Enter your password into both the Password and the Confirm Password fields.

Note: The password is the pre-shared key chosen in Step 7.

Step 12. Click Save.

Step 13. Choose the newly created connection and click Connect.

Step 38. Enter the username into the Username field.

Step 39. Enter the password into the Password field.

Configure Static Route to the VPN Router

Step 1. Navigate to Networking > Routing > Static.

Step 2. Click Add to add a static route for the VPN network to route the SA500 traffic intended for VPN clients to go to the VPN router instead of the default gateway.

Step 3. Enter the name you want to use to identify the network in the Route Name field.

Step 4. Check the Active and Private check boxes.

Step 5. Enter the network IP into the Destination IP Address field.

Step 6. Enter the subnet mask for the network into the IP Subnet Mask field.

Step 7. Choose LAN from the Interface drop-down list.

Step 8. Enter the gateway IP address that is on the same network as the device into the Gateway IP Address field.

Step 9. Enter a number into the Metrics field to determine how many hops the packet can take to get to the final destination.

Step 10. Click Apply.

Loading.

Actions

This Document