Re: VPN access to VLANs

jmaurer1205 · ‎03-25-2008

I have a VLAN configured and trying to connect my other 2 locations that are using a VPN. This is what I'm thinking I need to do.

Ex:

HQ VLANs

{PIX}

route in 0 0 [Public]

route in 192.168.1.0 255.255.255.0 192.168.5.2

3550 fa0/1 - 192.168.5.1/30 -> 192.168.5.2/30 e1 pix

vlan 10 - 192.168.10.0/24

vlan 11 - 192.168.11.0/24

vlan 12 - 192.168.12.0/24

Br2

network - 192.168.20.0/24

Br3

network - 192.168.30.0/24

HQ

nat (in) 0 access-l 120

access-l 120 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

access-l 120 permit ip 192.168.11.0 255.255.255.0 192.168.20.0 255.255.255.0

access-l 120 permit ip 192.168.12.0 255.255.255.0 192.168.20.0 255.255.255.0

access-l 120 permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0

access-l 120 permit ip 192.168.11.0 255.255.255.0 192.168.30.0 255.255.255.0

access-l 120 permit ip 192.168.12.0 255.255.255.0 192.168.30.0 255.255.255.0

Br2

nat (in) 0 access-l 120

access-l 120 permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

access-l 120 permit ip 192.168.20.0 255.255.255.0 192.168.11.0 255.255.255.0

access-l 120 permit ip 192.168.20.0 255.255.255.0 192.168.12.0 255.255.255.0

Br3

nat (in) 0 access-l 120

access-l 120 permit ip 192.168.30.0 255.255.255.0 192.168.10.0 255.255.255.0

access-l 120 permit ip 192.168.30.0 255.255.255.0 192.168.11.0 255.255.255.0

access-l 120 permit ip 192.168.30.0 255.255.255.0 192.168.12.0 255.255.255.0

Is this right or do I just need to use the route inside command on the other locations Pixs. I'm assuming that I can use route summarization in the real thing.

derrickc · ‎03-25-2008

I would think that you would want your default route for the PIX on the outside interface...

route outside 0 0 {next hop from the pix)

as for the other route statement

route in 192.168.1.0 255.255.255.0 192.168.5.2

I don't see anywhere you are using the 192.168.1.0/24 subnet.

Is this a new install or existing?

If new, I'd first change the VLANs/Subnets so that they are easily included in one ACL statement...keeps the config cleaner. So instead of VLANs 10, 11, and 12 - maybe use VLANs 8, 9, and 10 then change your subnets accordingly. Then I'd do the following:

{PIX}

route outside 0 0

route inside 192.168.8.0 255.255.252.0 192.168.5.1

Note the mask in the last route statement.

[3550}

route 0.0.0.0 0.0.0.0 192.168.5.2

{HQ}

nat (inside) 0 access-list 120

access-list 120 permit ip 192.168.8.0 255.255.252.0 192.168.20.0 255.255.255.0

access-list 120 permit ip 192.168.8.0 255.255.252.0 192.168.30.0 255.255.255.0

{BR2}

nat (inside) 0 access-list 120

access-list 120 permit ip 192.168.20.0 255.255.255.0 192.168.8.0 255.255.252.0

{BR3}

nat (inside) 0 access-list 120

access-list 120 permit ip 192.168.30.0 255.255.255.0 192.168.8.0 255.255.252.0

As for the Branch sites, you shouldn't have to add a route for the inside...unless you are subnetting the BR2 and BR3 subnets further or have another L3 device inside that has additional subnets behind it...

jmaurer1205 · ‎03-25-2008

I'm VLANing and existing network, but creating a new scheme, which is HQ.

I plan on having my networks with a 10.121.1-7.0 which will be subneted.

HQ - 192.168.1.0/24

Br2 - 192.168.2.0/24

Br3 - 192.168.3.0/24

HQ - 192.168.1.0/24 I am keeping this network on its own VLAN because it has the IBS on it and creating VLANs for the other departments.

These numbers are from an example problem when trying to get the PIX to see inside my network.

http://forums.cisco.com/eforum/servlet/NetProf;jsessionid=99352E41D93B1BEBCDB91E39334E8DDF.SJ1A?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbfff7e

Now I'm trying make sure that VPN can connect back to HQ, mainly for 192.168.1.0 network and another VLAN. I'm planning on coming in on Sunday and connecting the PIX and a test PC to see if everything talks and if it does the following weekend I will reconfigure all the PC's and printers to the new IP's and VLANs. This was all in the labs for the CCNA. HAHAHA.

HQ equipment

3550 f0/1 = Routing port - 192.168.5.1/30

PIX eth0 - 192.168.5.2/30

The "route outside 0 0 [is the next hop]" is for the outside router that has a Public IP.

"route in 192.168.1.0 255.255.255.0 192.168.5.2" - this is for the 192.168.1.0 network to get back inside to the VLAN.

I plan on having my networks with a 10.121.1-7.0 which will be subneted.

derrickc · ‎03-25-2008

I guess I didn't quite follow what you were asking...

If you already have VPN tunnels configured from the branch sites and are adding additional VLANs/Subnets at HQ, then you will need to make sure you update the cryto maps that define "interesting" traffic so that the new networks will be allowed across the tunnel. Once the traffic exits the tunnel at HQ, you will need routes on your PIX pointing to any networks behind the 3550 (assuming it is performing inter-VLAN routing).

Is that sort of what you were looking for?

jmaurer1205 · ‎04-03-2008

Yes, that is what I was looking for.

I need to add to the crypto maps.

Will I need to edit HQ's also or just the other branch offices.

Can you give me an example.