ER605 - VPN passthrough vs one domain
ER605 - VPN passthrough vs one domain
I have an unusual issue. My work requires I first connect to the company VPN, and then to a Cisco AnyConnect VPN to access other tools. With the ER605 having VPN passthough on my default, all used to work fine. Then sometime last year, I find that some sites and apps that once worked over AnyConnect no longer do. My solution was to add a second router (A NetGear in this case) that connects to the same ER605. It seems to only fail getting do a small (but important) number of svcs on the work network, and only when AnyConnect is engaged.
I don't do anything special with this ER605 other than assign static IPs on the LAN. I've tried putting the PC in the DMZ without success. Even tried putting the ER605 to factory defaults once, and still no luck. Our engineers didn't have a solution except to suggest adding a second router on the DMZ. The DMZ didn't seem to matter though, I've disabled it and the second router still functions fine.
As I have a working solution, I'm loathe to blame anything outside of my LAN. Typically I'd include all the specs and firmware info, but really I'm just interested in anyone's thoughts on why adding a second router between the PC and ER605 vs a direct connection to the ER605 would be actually be a solution.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
sorry for the late reply.
The list of routes is quite large, including large swaths of 10.x.x.x subnets. I also use 10.x.x.x on my LAN.
Someone once suggested that could be an issue, but I figured that surely many people use the 10.x.x.x scheme. Perhaps I should give that another thought. I do see a range that's not in the unsecured list, and changing a static IP on the LAN side is certainly a small enough amount of effort to give it a try later today.
Edit: That said, the list of secured routes includes: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, so maybe I shouldn't raise my expectations too high on that
- Copy Link
- Report Inappropriate Content
if you use the whole rfc1918 (all private ips) then you will have problems if you want to reach other private ip networks outside vpn tunnel, so if you can limit which ip is secure then it might work :-)
- Copy Link
- Report Inappropriate Content
Just wanted to follow up and note that I did find a solution.
First I upgraded to an ER7302: which by itself didn't fix the issue, but that alone increased my VPN speeds nearly twice fold.
Then I created a VLAN in the router to issue DHCP addresses in the 198.168.x.x range to the VLAN members. Although the AnyConnect routes listed all private IP ranges as secure, this was the change that worked.
Thanks for exploring this with me :)
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1590
Replies: 13
Voters 0
No one has voted for it yet.