RV340W to ASA 5515X site-to-site single peer to multiple networks workaround - any suggestions?

Frank McLean · ‎11-14-2017

Hi,

We have an ASA5515X at central and a new RV340W at a new satellite office. Various internal networks hang off the ASA and we would like these all accessible through site-to-site VPN from the RV340W.

Due to known bug CSCve98765, the RV340W won't allow our outside ASA IP to be defined in multiple tunnels. We bodged it by using URLs that equate to that IP, which is workable but unstable, with the RV340W being very confused as to which of the three tunnels is up and which is down (they're all up, at least for a while, or all down). So we've dropped back to just passing the core intranet down one tunnel to keep the thing up. This is absolutely non-ideal.

Can anyone think of a possible workaround, until this is fixed? I know very little about this stuff, but would it, for instance, somehow be possible to configure multiple IPs on the ASA outside interface (sub-interfaces?) and thereby have the the RV340W talk to different central IPs, but with effectively the same 'multi-tunnel' result? It's a waste of public IPs, but we can spare a couple as bandaids for now until we're able to get to Cisco headquarters with torches and pitchforks and show them what 'moderate severity' really looks like. :-)

Thanks,

Frank

Bogdan Nita · ‎11-15-2017

Not being able to add more networks to the VPN tunnel, moderate bug >:

Getting back to your question.

ASA supports configuring multiple IPs on different sub-interfaces and assigning different crypto-maps to those interfaces, but the problem is that the RV340W will be able to reach just one of those IPs on the ASA, providing that the RV340W has one public IP.

Example ASA config:

G0/0 - OUTSIDE1 - 1.1.1.1

G0/1 - OUTSIDE2 - 2.2.2.2

route OUTSIDE1 <RV340W-PUBLIC-IP> 255.255.255.255 1.1.1.2

The RV340W will be able to reach the OUTSIDE1 interface and bring up the vpn tunnel, but it will not be able to do that with the OUTSIDE2 interface.

Possible workarounds:

- contexts on the ASA

- more public IPs available on the RV340W

Frank McLean · ‎11-15-2017

Hi Bogdan,

Thanks for responding. So what I'm inferring is:

1. I could overload the single physical ASA outside interface with multiple public IPs

2. The RV340W could then have tunnels set up, one per ASA IP, which means that end appears good

3. But the ASA won't allow multiple tunnels to the same remote IP, so I would also need multiple IPs on the RV340W

Is that right? I do see an 'Add/Edit WAN Sub-interface' page on the RV340W - is adding additional public IPs what this is for?

I plainly need to do some reading on all this. We've not got a dedicated network tech in house, unfortunately, and that ASA outside interface is serving all our live websites, besides this darn VPN. Do you have any tips on where to start?

Thanks for your input!

Bogdan Nita · ‎11-15-2017

1. you can't configure secondary ip addresses on the ASA, you will have to create new interfaces or subinterfaces, and you can't have overlapping IPs

2. I do not have any experience with the RV340W , cisco says you can have up to 50 tunnels so it should be ok

3. the ASA allows multiple tunnels to the same remote IP, but ASA will not respond to traffic intended for a interface when it is coming in and going out on a different interface

Frank McLean · ‎11-15-2017

Thanks Bogdan. It's apparent that I'm living in a dream world if I think I can pull this off as a workaround. I will fall back to either waiting for a firmware upgrade or returning the unit and getting something that works from someone else.