cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2169
Views
0
Helpful
16
Replies

Implemented VLAN, VPN Client Cannot Access Network Anymore

andrewla1212
Level 1
Level 1

Hello,

My network used to be one flat network. I implemented vlan into the environment, and now my VPN users no longer be able to access any network resources when they are connected. Please advice as what do I need to get my VPN users to access the network again.

The following is my ASA5510 and Catalyst 3550 (router on a stick) Configurations.

===

ASA Version 8.0(2)

!

hostname asa5510

domain-name mydomain.com

enable password LWveUMKns/lIV72z encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 69.x.x.197 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.101.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

no ip address

management-only

!

passwd GBvC4V1ddiwdpe/1 encrypted

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name mydomain.com

access-list incoming-traffic extended permit tcp any host 69.x.x.198 eq smtp

access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnpool 192.168.0.210-192.168.0.220 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.0.0 255.255.255.0

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 192.168.2.0 255.255.255.0

nat (inside) 1 192.168.3.0 255.255.255.0

nat (inside) 1 192.168.4.0 255.255.255.0

static (inside,outside) 69.X.x.198 192.168.0.8 netmask 255.255.255.255

access-group incoming-traffic in interface outside

route outside 0.0.0.0 0.0.0.0 69.x.x.193 1

route inside 192.168.0.0 255.255.255.0 192.168.101.253 1

route inside 192.168.1.0 255.255.255.0 192.168.101.253 1

route inside 192.168.2.0 255.255.255.0 192.168.101.253 1

route inside 192.168.3.0 255.255.255.0 192.168.101.253 1

route inside 192.168.4.0 255.255.255.0 192.168.101.253 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:01:30 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

http server enable

http 192.168.0.0 255.255.255.0 inside

http 192.168.2.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5

ESP-AES-192-SHA ESP-AES-

192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet 192.168.0.0 255.255.255.0 inside

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 30

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

ntp authenticate

ntp server 192.168.0.11 source inside

tftp-server inside 192.168.0.88 config-test

group-policy My_VPN internal

group-policy My_VPN attributes

wins-server value 192.168.0.11

dns-server value 192.168.0.11

vpn-idle-timeout 90

vpn-tunnel-protocol IPSec

default-domain value my2k.net

username vpnlogin password RepoHxP/AmoqXrjb encrypted privilege 15

tunnel-group My_VPN type remote-access

tunnel-group My_VPN general-attributes

address-pool vpnpool

default-group-policy My_VPN

tunnel-group My_VPN ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:67614ffa957ef492f06653b431d86a75

: end

===

version 12.2

no service pad

service timestamps debug uptime

service timestamps log datetime

no service password-encryption

service sequence-numbers

!

hostname Switch4

!

enable secret 5 $1$dGie$zBIptoQldueWRtt2Plv5D1

!

no aaa new-model

clock timezone Central -6

ip subnet-zero

ip routing

!

cluster enable Test 0

!

!

crypto pki trustpoint TP-self-signed-2217997056

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2217997056

revocation-check none

rsakeypair TP-self-signed-2217997056

!

!

crypto pki certificate chain TP-self-signed-2217997056

certificate self-signed 01 nvram:IOS-Self-Sig#3601.cer

!

!

spanning-tree mode pvst

spanning-tree portfast default

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

!

!

!

!

!

interface FastEthernet0/1

switchport mode dynamic desirable

!

interface FastEthernet0/2

switchport access vlan 2

switchport mode dynamic desirable

!

interface FastEthernet0/3

switchport mode dynamic desirable

!

interface FastEthernet0/4

switchport mode dynamic desirable

!

interface FastEthernet0/5

switchport access vlan 100

switchport mode dynamic desirable

!

interface FastEthernet0/6

switchport mode dynamic desirable

!

interface FastEthernet0/7

switchport mode dynamic desirable

!

interface FastEthernet0/8

switchport mode dynamic desirable

!

interface FastEthernet0/9

switchport mode dynamic desirable

!

interface FastEthernet0/10

switchport mode dynamic desirable

!

interface FastEthernet0/11

switchport mode dynamic desirable

!

interface FastEthernet0/12

switchport access vlan 100

switchport mode dynamic desirable

!

interface FastEthernet0/13

switchport access vlan 100

switchport mode dynamic desirable

!

interface FastEthernet0/14

switchport access vlan 100

switchport mode dynamic desirable

!

interface FastEthernet0/15

switchport mode dynamic desirable

!

interface FastEthernet0/16

switchport access vlan 100

switchport mode dynamic desirable

!

interface FastEthernet0/17

switchport mode dynamic desirable

!

interface FastEthernet0/18

switchport mode dynamic desirable

!

interface FastEthernet0/19

switchport mode dynamic desirable

!

interface FastEthernet0/20

switchport mode dynamic desirable

!

interface FastEthernet0/21

switchport access vlan 100

switchport mode dynamic desirable

!

interface FastEthernet0/22

switchport mode dynamic desirable

!

interface FastEthernet0/23

switchport mode dynamic desirable

!

interface FastEthernet0/24

switchport mode dynamic desirable

!

interface FastEthernet0/25

switchport mode dynamic desirable

!

interface FastEthernet0/26

switchport mode dynamic desirable

!

interface FastEthernet0/27

switchport mode dynamic desirable

!

interface FastEthernet0/28

description to internet router Cisco ASA5510

no switchport

ip address 192.168.101.253 255.255.255.0

!

interface FastEthernet0/29

switchport mode dynamic desirable

!

interface FastEthernet0/30

switchport access vlan 100

switchport mode dynamic desirable

!

interface FastEthernet0/31

switchport mode dynamic desirable

!

interface FastEthernet0/32

switchport mode dynamic desirable

!

interface FastEthernet0/33

switchport access vlan 100

switchport mode dynamic desirable

!

interface FastEthernet0/34

switchport mode dynamic desirable

!

interface FastEthernet0/35

switchport access vlan 100

switchport mode dynamic desirable

!

interface FastEthernet0/36

switchport access vlan 100

switchport mode dynamic desirable

!

interface FastEthernet0/37

switchport mode dynamic desirable

!

interface FastEthernet0/38

switchport mode dynamic desirable

!

interface FastEthernet0/39

switchport mode dynamic desirable

!

interface FastEthernet0/40

switchport mode dynamic desirable

!

interface FastEthernet0/41

switchport access vlan 2

switchport mode dynamic desirable

!

interface FastEthernet0/42

switchport mode dynamic desirable

!

interface FastEthernet0/43

switchport access vlan 100

switchport mode dynamic desirable

!

interface FastEthernet0/44

switchport mode dynamic desirable

!

interface FastEthernet0/45

switchport mode dynamic desirable

!

interface FastEthernet0/46

switchport access vlan 2

switchport mode dynamic desirable

!

interface FastEthernet0/47

switchport mode dynamic desirable

!

interface FastEthernet0/48

switchport mode dynamic desirable

!

interface GigabitEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/2

switchport mode dynamic desirable

!

interface Vlan1

description OLD NETWORK

ip address 192.168.1.254 255.255.255.0

ip helper-address 192.168.0.11

!

interface Vlan2

description OFFICES

ip address 192.168.2.254 255.255.255.0

ip helper-address 192.168.0.11

!

interface Vlan3

description MAC WORKSTATIONS

ip address 192.168.3.254 255.255.255.0

ip helper-address 192.168.0.11

!

interface Vlan4

description PRODUCTION_FLOOR

ip address 192.168.4.254 255.255.255.0

ip helper-address 192.168.0.11

!

interface Vlan100

description Back-end Devices

ip address 192.168.0.254 255.255