Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Bridging identicle subnets via VPN/IPsec

We have a Cisco SB ISA550W, as does our client.

We are using software from Rockwell for programming PLCs that absolutely requires the subnet of our programmers laptops and the subnet of the PLC to be identicle in order to connect to the PLC processors. Say the client is a 192.168.111.0 subnet. Say our office is a 192.168.222.0 network.

I would like to configure a VLAN on a specific port of our ISA to 192.168.111.0 and I'm going to run an ethernet cable from that port to the programmers laptop. I'm going to statically program the LAN interface of the laptop with say 192.168.111.12 (an IP which I know to be available on the clients network and reserved for us in their DHCP server). Say the IP of the PLC processors on the clients network is 192.168.111.58 that we are wanting to connect to.

First, is this possible and is this the best way to do it? Second, should we use the Cisco AnyConnect client on our promgrammers laptop to connect to their network, OR, should I setup and IPsec tunnel between the gatways? We have a static IP on DSL, our client has a static IP with their Satellite ISP.

Comments, sugestions? Will this work? Am I going about this the right way?

Thanks!

Alex

4 REPLIES

Bridging identicle subnets via VPN/IPsec

Unfortunately what you're wanting to accomplish is not feasible.  The reason is this.  What you're stating is that the Programmer and the PLC must be on the same physical network which means they must be able to communicate at Layer 2.  However the only time a device would send traffic to either your ISA or your client's ISA is if it requires Layer 3 routing, which means that the requestor is looking for something that is not on it's own layer 2 network.  I've been racking my brain trying to figure out a way to do this using VPNs, AnyConnect, NAT, etc. and I'm not coming up with one.  Most likely your only solution will be to have a device at your client's premise that you can remotely access via RDP, VNC, etc. and then leverage that device to program the PLC.

Sorry I wish I had a better answer for you.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Bridging identicle subnets via VPN/IPsec

I was terribly afraid of that. It isn't really an option since each Rockwell license serial is attached to a specific hard drive ID and each license costs us $5,000. So you can see why we need this working from our laptops to their PLCs. We are a very small family owned company of only a few employees.

When you say physical do you mean the same subnet? Far as I know it only must be the same subnet, however I have no clue on the layer stuff you speak of. Perhaps I should also consult with Rockwell.

Thank you for the help, please let me know if you can think of anything that might work!

Alex

Bridging identicle subnets via VPN/IPsec

Alex,

Yes when I say physical, I do mean same subnet.  I would recommend contacting Rockwell to confirm that there is no other way to manage those PLCs from a remote subnet.  As a side note, it has been my experience that sometimes manufacturers say no when 'yes' is the reality.  If it is possible to input a gateway IP address on the PLC, then there is a strong possibility that you would be able to remotely access the PLC.  However if inputting a gateway IP address is not an option, then you would in fact have to be on the same subnet.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Bridging identicle subnets via VPN/IPsec

Hi Alex

Those damn plc are pita to configure and usally does not have anything caled "default gateway" lol

I have faced almost same scenario for a client in another country. Where i solved it as described by Shawn, set an virtual managment computer at the clients location. You can also check with your software support if the licens terms allows you to clone the physical computer to virtual. Some license terms allows you to do run the software in the same virtual pc, but only one computer, virtual of physical is allowed to be powerd on and use the softtware. Then doing rdp or teamviewer to that client to program the plc.

BR

357
Views
0
Helpful
4
Replies