multiple vlan usign vpn

arumugasamy · ‎06-03-2007

Dear Pros,

in the current client network there is one single flast network with 192.168.0.0/24 network. this network 192.168.0.0/24 connected to 6 remote locations (countries)

via L2L vpn tunnels.In head end (192.168.0.0/24) pix 515E as the vpn end point and each remote side pix 515E as the vpn end point.

Now in the main head office they implemented 5 vlans.(172.20.14.0,15.0,16.0,17.0,18.0).

Now they wants me to implement the vpn to all the vlans to the same remote locations where now only one head office vlan (1) with 192.168.0.0/24 confiured with vpn.

I want to know how can i expend the vpn to the all the vlans subnets.

Thnaks

swamy

thult · ‎06-04-2007

Hi,

You have to expand your crypto and NoNat access rules to include the new networks.

If one of your remote locations has 10.10.10.0/24 you have to configure like this:

access-list crypto1 permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list crypto1 permit ip 172.20.14.0. 255.255.255.0 10.10.10.0 255.255.255.0

access-list crypto1 permit ip 172.20.15.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list crypto1 permit ip 172.20.16.0. 255.255.255.0 10.10.10.0 255.255.255.0

access-list crypto1 permit ip 172.20.17.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list crypto1 permit ip 172.20.18.0 255.255.255.0 10.10.10.0 255.255.255.0

For the Nonat access-list i would make the following rule the covers all the locations:

access-list NoNAT permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list NoNAT permit ip 172.20.0.0 255.255.0.0 10.10.10.0 255.255.255.0

You have to specify the same rules in reverse order on your remote locations (from 172.20.14.0 to 192.168.0.0 and so on) for it to work.

Hope this helps! Plz rate if it did.