Intervlan Routing / VPN / NAT

marshallqqqq · ‎10-25-2010

Hello,

I have several questions with regards to our lan/vpn and i hope someone can answer them. We are in the process of changing our ip infrastructure. The network is buildup like this: ASA5520 - 3560 - Several 2950/2960.

Current network:

-All ip's are in 192.168.0.x (DHCP on a windows server)

-VPN DHCP on the ASA gives out 192.168.254.0

New network:

-192.168.2.x VLAN 2 Clients

-192.168.3.x VLAN 3 Clients

-192.168.4.x VLAN 4 Servers (DHCP/AD/DNS on 192.168.4.6)

-192.168.5.x VLAN 5 Network (Network devices)

-192.168.254.x VPN Clients

Current VPN Configuration in the ASA:

access-list split extended permit ip 192.168.0.0 255.255.255.0 192.168.254.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.254.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.0.0 255.255.255.0

ip local pool pool-vpn-client 192.168.254.99-192.168.254.200 mask 255.255.255.0

ip local pool pool-vpn2-client 192.168.254.60-192.168.254.69 mask 255.255.255.0

route Outside 192.168.254.0 255.255.255.0 81.x.x.x 1

aaa-server radiusvpn2 protocol radius

aaa-server radiusvpn2 host editedhostname

key thishasbeenedited

radius-common-pw thishasbeenedited

group-policy svpn internal

group-policy svpn attributes

wins-server value 192.168.0.1

dns-server value 192.168.0.1 192.168.0.2

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split

default-domain value domain.eu

group-policy svpn2 internal

group-policy svpn2 attributes

wins-server value 192.168.0.1

dns-server value 192.168.0.1 192.168.0.2

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split

default-domain value domain.eu

tunnel-group svpn type remote-access

tunnel-group svpn general-attributes

address-pool pool-vpn-client

authentication-server-group radius

default-group-policy svpn

tunnel-group svpn ipsec-attributes

pre-shared-key editedkey

tunnel-group svpn2 type remote-access

tunnel-group svpn2 general-attributes

address-pool pool-vpn2-client

authentication-server-group radius

default-group-policy svpn2

tunnel-group svpn2 ipsec-attributes

pre-shared-key editedkey

New VPN Configuration in the ASA:

access-list split extended permit ip 192.168.0.0 255.255.255.0 192.168.254.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.254.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.2.0 255.255.255.0

nat (inside) 2 192.168.3.0 255.255.255.0

etc.

ip local pool pool-vpn-client 192.168.254.99-192.168.254.200 mask 255.255.255.0

ip local pool pool-vpn2-client 192.168.254.60-192.168.254.69 mask 255.255.255.0

route Outside 192.168.254.0 255.255.255.0 81.x.x.x 1

aaa-server radiusvpn2 protocol radius

aaa-server radiusvpn2 host editedhostname

key thishasbeenedited

radius-common-pw thishasbeenedited

group-policy svpn internal

group-policy svpn attributes

wins-server value 192.168.4.6

dns-server value 192.168.4.6 192.168.4.7

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split

default-domain value domain.eu

group-policy svpn2 internal

group-policy svpn2 attributes

wins-server value 192.168.4.6

dns-server value 192.168.4.6 192.168.4.7

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split

default-domain value domain.eu

tunnel-group svpn type remote-access

tunnel-group svpn general-attributes

address-pool pool-vpn-client

authentication-server-group radius

default-group-policy svpn

tunnel-group svpn ipsec-attributes

pre-shared-key editedkey

tunnel-group svpn2 type remote-access

tunnel-group svpn2 general-attributes

address-pool pool-vpn2-client

authentication-server-group radius

default-group-policy svpn2

tunnel-group spn2 ipsec-attributes

pre-shared-key editedkey

Changes that need to be made:

-Default gateway for all devices will be the 3560 (is now ASA)

-IP routing / inter-vlan routing on the 3560

-IP address out of each range on the 3560

-DHCP helper on the 3560 to the DHCP server

-DHCP scope for each vlan on our windows server

-Default routing.

Now my questions are (note: VPN is in the 192.168.254.0 range!):

1. Can i make a nat for 192.168.0.0/16 or do i need to define it per block (192.168.2.x etc)? Keep in mind that vpn uses 192.168.254.x

2. Do i need to define the VPN subnet on the 3560?

3. I presume i cannot use 192.168.0.0/16 on the ASA because of issues with the VPN route (192.168.254.0 goes Outside int)? This means i would have to make default routes on the inside for each subnet.

4. In the new VPN configuration i only changed DNS/WINS parameters, is this enough or am i missing something.

5. When we did some tests we got a VPN error 433, it seems isakmp nat-t should be able to solve this. Sadly we were unable to test it. I did put as default inside route 192.168.0.0/16 and as NAT 192.168.0.0/16, could this have caused that issue as well? Or do people see anything else that might be missing?

6. If the 3560 has 192.168.2.2 and 192.168.5.2 (5.x is the default network range for my network devices, asa has 5.1). Should i put the default gateway from clients in the 2.x range on 2.2 or on 5.2 and why?

So i hope you can help me understand these routing/nat/vpn issues a bit better.

Best regards,

Ralph

Ps. I hope this is the right subforum cause it seems to be a bit of everything.

marshallqqqq · ‎10-26-2010

Anyone that can help me with some input on these questions?

Curious if people would think its better to put the VPN on for example a class a subnet.