Re: how to add another vlan subnet in existing EzVPN setup

zubair.sipra · ‎09-08-2013

I am using EasyVPN:

Head Office(ASA 5510 with public ip) connected to SiteOffice(Cisco Router 2810 with PPPoE)

Head Office network: 192.168.2.0/24

Site Office network: 192.168.1.0/24

Everything is working fine.

Now I have another VLAN subnet(192.168.100.0/24), how I can add this network with existing easyVPN setup?

Note: Network Diagram and Configurations are attached.

thanks

czaja0000 · ‎09-09-2013

Hi,

Possible solution.

You need to create VLANs on the ASA.

ASA reconfiguration.

For example:

1. Define VLANs on ASA5510

interface Ethernet0/0

description Trunk-to-SWxxx

no nameif

no security-level

no ip address

no shutdown

interface Ethernet0/0.1

description LAN

vlan 1

nameif inside

security-level 100

ip address 192.168.2.246 255.255.255.0

no shutdown

interface Ethernet0/0.10

description Network-VLAN-100

vlan 100

nameif zzzz

security-level 100

ip address 192.168.100.254 255.255.255.0

no shutdown

interface Ethernet0/0.20

description Network-VLAN-1010

vlan 1010

nameif uuuuuu

security-level 100

ip address 10.10.10.254 255.255.255.0

no shutdown

2. Modification on Easy VPN Server

A) NAT-0

access-list no-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no-nat extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no-nat extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

B) Define the traffic that should pass through the tunnel.

Remove existing standard ACL: Split_Tunnel_List and create new.

access-list Split_Tunnel_List extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list Split_Tunnel_List extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list Split_Tunnel_List extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

Switch SW modification.

Configure interface fa1/2 on SW as TRUNK !!

________________

Best regards,
MB

________________ Best regards, MB

zubair.sipra · ‎09-11-2013

Dear MB,

My question, if i will create vlan sub-interfaces with IP on ASA then how router will forward its traffic to those all, because on Router there is only one static route directed to interface ip 192.168.2.246/24(ASA vlan-1 interface), do i need to add any other static route on router or one route is enough or anything else ?

thanks

czaja0000 · ‎09-11-2013

zubair sipra napisano:
Dear MB,
My question, if i will create vlan sub-interfaces with IP on ASA then how router will forward its traffic to those all, because on Router there is only one static route directed to interface ip 192.168.2.246/24(ASA vlan-1 interface), do i need to add any other static route on router or one route is enough or anything else ?
thanks

In this scenario, by me, static routes can't be used.

I suggest use the feature: Policy Based Routing (PBR) on the router.

Can you specify the model of switch (SW)?

Is there switch L2 or L3?

Maybe may solve your problem otherwise...

________________

Best regards,
MB

________________ Best regards, MB

zubair.sipra · ‎09-11-2013

Dear MB,

it is 3com L3 switch and model # "3Com Switch 4800G".

I think if i use PBR even then i need to mention next hop, then what will be next hop ip address?

thanks

czaja0000 · ‎09-12-2013

Hi,

next hop - it must be address of the appropriate interface on the ASA.

I'm sorry, but I don't have great knowledge about 3Com devices.

________________ Best regards, MB