10-25-2010 12:52 AM - edited 03-06-2019 01:42 PM
Hello,
I have several questions with regards to our lan/vpn and i hope someone can answer them. We are in the process of changing our ip infrastructure. The network is buildup like this: ASA5520 - 3560 - Several 2950/2960.
Current network:
-All ip's are in 192.168.0.x (DHCP on a windows server)
-VPN DHCP on the ASA gives out 192.168.254.0
New network:
-192.168.2.x VLAN 2 Clients
-192.168.3.x VLAN 3 Clients
-192.168.4.x VLAN 4 Servers (DHCP/AD/DNS on 192.168.4.6)
-192.168.5.x VLAN 5 Network (Network devices)
-192.168.254.x VPN Clients
Current VPN Configuration in the ASA:
access-list split extended permit ip 192.168.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.254.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.0.0 255.255.255.0
ip local pool pool-vpn-client 192.168.254.99-192.168.254.200 mask 255.255.255.0
ip local pool pool-vpn2-client 192.168.254.60-192.168.254.69 mask 255.255.255.0
route Outside 192.168.254.0 255.255.255.0 81.x.x.x 1
aaa-server radiusvpn2 protocol radius
aaa-server radiusvpn2 host editedhostname
key thishasbeenedited
radius-common-pw thishasbeenedited
group-policy svpn internal
group-policy svpn attributes
wins-server value 192.168.0.1
dns-server value 192.168.0.1 192.168.0.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value domain.eu
group-policy svpn2 internal
group-policy svpn2 attributes
wins-server value 192.168.0.1
dns-server value 192.168.0.1 192.168.0.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value domain.eu
tunnel-group svpn type remote-access
tunnel-group svpn general-attributes
address-pool pool-vpn-client
authentication-server-group radius
default-group-policy svpn
tunnel-group svpn ipsec-attributes
pre-shared-key editedkey
tunnel-group svpn2 type remote-access
tunnel-group svpn2 general-attributes
address-pool pool-vpn2-client
authentication-server-group radius
default-group-policy svpn2
tunnel-group svpn2 ipsec-attributes
pre-shared-key editedkey
New VPN Configuration in the ASA:
access-list split extended permit ip 192.168.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.254.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.2.0 255.255.255.0
nat (inside) 2 192.168.3.0 255.255.255.0
etc.
ip local pool pool-vpn-client 192.168.254.99-192.168.254.200 mask 255.255.255.0
ip local pool pool-vpn2-client 192.168.254.60-192.168.254.69 mask 255.255.255.0
route Outside 192.168.254.0 255.255.255.0 81.x.x.x 1
aaa-server radiusvpn2 protocol radius
aaa-server radiusvpn2 host editedhostname
key thishasbeenedited
radius-common-pw thishasbeenedited
group-policy svpn internal
group-policy svpn attributes
wins-server value 192.168.4.6
dns-server value 192.168.4.6 192.168.4.7
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value domain.eu
group-policy svpn2 internal
group-policy svpn2 attributes
wins-server value 192.168.4.6
dns-server value 192.168.4.6 192.168.4.7
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value domain.eu
tunnel-group svpn type remote-access
tunnel-group svpn general-attributes
address-pool pool-vpn-client
authentication-server-group radius
default-group-policy svpn
tunnel-group svpn ipsec-attributes
pre-shared-key editedkey
tunnel-group svpn2 type remote-access
tunnel-group svpn2 general-attributes
address-pool pool-vpn2-client
authentication-server-group radius
default-group-policy svpn2
tunnel-group spn2 ipsec-attributes
pre-shared-key editedkey
Changes that need to be made:
-Default gateway for all devices will be the 3560 (is now ASA)
-IP routing / inter-vlan routing on the 3560
-IP address out of each range on the 3560
-DHCP helper on the 3560 to the DHCP server
-DHCP scope for each vlan on our windows server
-Default routing.
Now my questions are (note: VPN is in the 192.168.254.0 range!):
1. Can i make a nat for 192.168.0.0/16 or do i need to define it per block (192.168.2.x etc)? Keep in mind that vpn uses 192.168.254.x
2. Do i need to define the VPN subnet on the 3560?
3. I presume i cannot use 192.168.0.0/16 on the ASA because of issues with the VPN route (192.168.254.0 goes Outside int)? This means i would have to make default routes on the inside for each subnet.
4. In the new VPN configuration i only changed DNS/WINS parameters, is this enough or am i missing something.
5. When we did some tests we got a VPN error 433, it seems isakmp nat-t should be able to solve this. Sadly we were unable to test it. I did put as default inside route 192.168.0.0/16 and as NAT 192.168.0.0/16, could this have caused that issue as well? Or do people see anything else that might be missing?
6. If the 3560 has 192.168.2.2 and 192.168.5.2 (5.x is the default network range for my network devices, asa has 5.1). Should i put the default gateway from clients in the 2.x range on 2.2 or on 5.2 and why?
So i hope you can help me understand these routing/nat/vpn issues a bit better.
Best regards,
Ralph
Ps. I hope this is the right subforum cause it seems to be a bit of everything.
10-26-2010 11:14 PM
Anyone that can help me with some input on these questions?
Curious if people would think its better to put the VPN on for example a class a subnet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide