Access switch from VPN

mgatti0129 · ‎12-10-2012

Hello,

I have a 2960S Catalyst switch in my LAN, with the firewall and the servers in the same VLAN (vlan 3).

All the servers and the firewall are in the vlan 3 are in the "192.168.19.0/24" subnet, the firewall has the IP "192.168.19.1".

I can land on the firewall with a VPN (192.168.130.0/24) which has a complete view on the subnet 19/24.

I can access, manage and get SNMP information of the Catalyst from the servers but I can't do the same from the VPN.

Is there some feature I need to enable on the switch in order to allow 192.168.130.0/24 to access it?

Thank you in advance

Maurizio

paulstone80 · ‎12-19-2012

Hi Maurizio,

Can you ping anything on the 192.168.19.0/24 network when you are on the VPN?

Kind regards,

Paul

HTH Paul ****Please rate useful posts****

mgatti0129 · ‎12-20-2012

Hi Paul,

thank you for your reply.

Yes, I can ping everyhost on the 192.168.19.0/24 network (1) but the swtitch.

From the switch itself I obviously can ping everything in the same LAN but the default gateway 192.168.19.1 and the network on the other side of the VPN (192.168.21.0/24).

From any host in the .19.0/24 network I can ping the default gw and every host in the 21.0/24 subnet.

Here (2) the running-config of the switch.

(1)

Starting Nmap 5.51 ( http://nmap.org ) at 2012-12-20 09:30 ora solare Europa occidentale

Nmap scan report for 192.168.19.1

Host is up (0.015s latency).

Nmap scan report for 192.168.19.3

Host is up (0.016s latency).

Nmap scan report for 192.168.19.21

Host is up (0.047s latency).

Nmap scan report for 192.168.19.25

Host is up (0.063s latency).

Nmap scan report for 192.168.19.26

Host is up (0.063s latency).

Nmap scan report for www.***** (192.168.19.108)

Host is up (0.047s latency).

Nmap scan report for 192.168.19.109

Host is up (0.047s latency).

Nmap scan report for 192.168.19.110

Host is up (0.062s latency).

Nmap scan report for 192.168.19.113

Host is up (0.062s latency).

Nmap scan report for 192.168.19.114

Host is up (0.11s latency).

Nmap scan report for 192.168.19.115

Host is up (0.11s latency).

Nmap scan report for 192.168.19.117

Host is up (0.11s latency).

Nmap scan report for mail.***** (192.168.19.118)

Host is up (0.11s latency).

Nmap scan report for 192.168.19.119

Host is up (0.11s latency).

Nmap scan report for 192.168.19.120

Host is up (0.11s latency).

Nmap scan report for 192.168.19.124

Host is up (0.015s latency).

Nmap scan report for 192.168.19.126

Host is up (0.078s latency).

Nmap scan report for 192.168.19.127

Host is up (0.078s latency).

Nmap scan report for 192.168.19.128

Host is up (0.12s latency).

Nmap scan report for 192.168.19.135

Host is up (0.00s latency).

Nmap scan report for 192.168.19.136

Host is up (0.031s latency).

Nmap scan report for 192.168.19.137

Host is up (0.047s latency).

Nmap scan report for 192.168.19.220

Host is up (0.031s latency).

Nmap scan report for 192.168.19.230

Host is up (0.062s latency).

Nmap scan report for 192.168.19.240

Host is up (0.012s latency).

Nmap done: 256 IP addresses (25 hosts up) scanned in 17.78 seconds

(2)

!

version 12.2

no service pad

no service timestamps debug uptime

no service timestamps log uptime

service password-encryption

!

hostname **********

!

boot-start-marker

boot-end-marker

!

enable secret 5 **********

!

no aaa new-model

clock timezone GMT 1

clock summer-time GMT recurring last Sun Mar 2:00 last Sun Oct 3:00

!

crypto pki trustpoint TP-self-signed-1530384128

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1530384128

revocation-check none

rsakeypair TP-self-signed-1530384128

!

crypto pki certificate chain TP-self-signed-1530384128

certificate self-signed 01

**********

quit

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

ip ftp username **********

ip ftp password 7 **********

!

interface FastEthernet0

no ip address

!

interface GigabitEthernet0/1

description **********SW1

switchport access vlan 2

switchport mode access

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/2

description **********-WG

switchport access vlan 2

switchport mode access

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/3

description WG XTM5

switchport access vlan 3

switchport mode access

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/4

description SAN MGMT

switchport access vlan 3

switchport mode access

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/5

description PDU1

switchport access vlan 3

switchport mode access

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/6

description **********SRV

switchport access vlan 3

switchport mode access

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/7

description **********SRV

switchport access vlan 3

switchport mode access

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/8

description **********SRV

switchport access vlan 3

switchport mode access

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/9

description **********GSM

switchport access vlan 3

switchport mode access

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/10

switchport access vlan 3

switchport mode access

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/11

description **********LAN1

switchport access vlan 3

switchport mode access

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/12

description **********

switchport access vlan 3

switchport mode access

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/13

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/14

switchport access vlan 3

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/15

switchport mode access

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/16

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/17

description iSCSI Hercules

switchport access vlan 4

switchport mode access

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/18

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/19

description iSCSI **********

switchport access vlan 4

switchport mode access

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/20

description iSCSI **********

switchport access vlan 4

switchport mode access

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/21

description SAN Dati

switchport access vlan 4

switchport mode access

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/22

description SAN Dati

switchport access vlan 4

switchport mode access

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/23

description Trunking

switchport trunk native vlan 4

switchport mode trunk

!

interface GigabitEthernet0/24

switchport mode trunk

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/25

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/26

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface Vlan1

no ip address

!

interface Vlan3

ip address 192.168.19.10 255.255.255.0

!

ip default-gateway 192.168.19.1

ip http server

ip http secure-server

!

ip access-list standard TELNET-ACCESS

permit 192.168.21.103

arp ********** 0100.5e5e.c7cc ARPA

arp ********** 0000.5e00.0118 ARPA

arp ********** 0100.5e5e.c7cc ARPA

arp 192.168.19.1 0100.5e28.1301 ARPA

snmp-server community WORD RO

snmp-server community ro RO

snmp-server community public RO

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps transceiver all

snmp-server enable traps tty

snmp-server enable traps license

snmp-server enable traps auth-framework sec-violation

snmp-server enable traps cluster

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan

snmp-server enable traps energywise

snmp-server enable traps fru-ctrl

snmp-server enable traps entity

snmp-server enable traps power-ethernet group 1-4

snmp-server enable traps power-ethernet police

snmp-server enable traps cpu threshold

snmp-server enable traps rep

snmp-server enable traps vstack

snmp-server enable traps bridge newroot topologychange

snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency

snmp-server enable traps syslog

snmp-server enable traps vtp

snmp-server enable traps vlancreate

snmp-server enable traps vlandelete

snmp-server enable traps flash insertion removal

snmp-server enable traps port-security

snmp-server enable traps envmon fan shutdown supply temperature status

snmp-server enable traps errdisable

snmp-server enable traps mac-notification change move threshold

snmp-server enable traps vlan-membership

snmp-server host 192.168.19.135 public

snmp-server host 192.168.21.134 public

snmp-server manager

snmp mib notification-log default

!

line con 0

exec-timeout 0 0

password 7 120A1246475B55277E07207B

logging synchronous

login

line vty 0 4

exec-timeout 0 0

password 7 111A0E544242522F50062F77

logging synchronous

login

line vty 5 15

exec-timeout 0 0

password 7 111A0E544242522F50062F77

login

!

mac address-table static 0100.5e28.1301 vlan 3 interface GigabitEthernet0/3

end

paulstone80 · ‎12-20-2012

Hi Maurizio,

Which port on the switch is used to uplink to the firewall?

Regards,

Paul

****Please rate useful posts****

HTH Paul ****Please rate useful posts****

mgatti0129 · ‎12-20-2012

Hi Paul,

th port dedicated to the firewall is "interface GigabitEthernet0/3".

GigabitEthernet0/1 is used to uplink to the ISP infrastructure.

The GigabitEthernet0/2 is used as a link between the switch (vlan 2) and the firewall.

interface GigabitEthernet0/1

description **********SW1

switchport access vlan 2

switchport mode access

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/2

description **********-WG

switchport access vlan 2

switchport mode access

no cdp enable

no cdp tlv server-location

no cdp tlv app

!

interface GigabitEthernet0/3

description WG XTM5

switchport access vlan 3

switchport mode access

no cdp enable

no cdp tlv server-location

no cdp tlv app

!