12-08-2009 03:01 PM
Greeting All,
I have a ASA connected to a swtich via DOT1Q trunk where i have vlan 10,20,100 configured on both switchs i`m using Vlan 100 for the remote user pool and i have my switch configured for intervaln routing so my issue is :
I have setup easy VPN for remote access but it seems i can`t access my internal ressources i can only ping my default GW on the switch however when i use my SSL VPN via the webbrowser i have full reachability to all my vlans
Can anyone please help why i can`t reach the rest of the vlan while i`m using my easy VPN connection
Thanks
12-09-2009 11:48 AM
Seifeddine-Tlili wrote:
i have vlan 10,20,100 configured on both switchs i`m using Vlan 100 for the remote user pool and i have my switch configured for intervaln routing so my issue is :
I'm not sure if I understand your description correctly but I think what you need to do is remove the vlan100 interface from the switch. The switch needs to send traffic destined for the clients to the ASA.
hth
Herbert
12-09-2009 11:57 AM
Hi Herbert
Thanks for your reply actually if i remove vlan 100 from my switch it will be also be removed from my trunk link!!! so vlan 100 now are like isolated can you please correct me if i`m wrong
ASA------3570
the link is trunk and vlan 10,20,100 are allowed in the trunk if all vlan are properly configured in both devices
Removing vlan 100 means remeving it from the trunk link so no communication between the rest of the vlans !!
thanks for your help i appreciate it
12-09-2009 12:09 PM
What I was trying to say is that the ezvpn pool should be a range of addresses that the switch routes to the ASA, so the switch should not have an interface in this network.
So if vlan 100 is also used for something else, then keep it but use another range of addresses for the pool.
If vlan 100 is not used for anything else, just remove it.
If it's still not clear, would you mind posting your configs (of the switch and the ASA) here?
12-09-2009 02:15 PM
12-09-2009 11:54 PM
Not sure what you are trying to achieve here - either you're doing something very unusual, or you're overcomplicating things
IMHO it does not make sense to have an ASA interface in each vlan *and* a L3 interface in each vlan on the switch.
So the question is: do you want the switch to do the inter-vlan routing (so there is no access control between them) or the ASA (so you can specify which traffic is allowed between vlans).
If the switch is to do the inter-vlan routing, then you don't need an ASA interface in each vlan, so you don't even need the trunk, just use one vlan to interconnect the ASA and the switch, eg. vlan12:
interface Ethernet0/0
description INSIDE_UL_LAB
nameif INSIDE_LAB_MAIN
security-level 90
ip address 172.16.12.100 255.255.255.0
!
no interface Ethernet0/0.2
no interface Ethernet0/0.10
no interface Ethernet0/0.12
no interface Ethernet0/0.100
route INSIDE_LAB_MAIN 172.16.2.0 255.255.255.0 172.16.12.1
route INSIDE_LAB_MAIN 172.16.10.0 255.255.255.0 172.16.12.1
route INSIDE_LAB_MAIN 172.16.11.0 255.255.255.0 172.16.12.1
nat (INSIDE_LAB_MAIN) 1 172.16.11.0 255.255.255.0
no nat (VLan_2) 1 172.16.11.0 255.255.255.0
and since you have 172.16.11.0 already in use on the inside, use a different range for the pool:
no ip local pool VLAN_11 172.16.11.200-172.16.11.250 mask 255.255.255.0
ip local pool ezvpn-pool 172.16.13.200-172.16.13.250 mask 255.255.255.0
group-policy ULMLT attributes
address-pools value ezvpn-pool
If on the other hand, you want to control access between the vlans, then keep the asa config and remove the L3 interfaces on the switch:
no interface Vlan2
no interface Vlan10
no interface Vlan12
In the former case, inside hosts should use the switch' address (in their vlan) as their default gw.
In the latter case, inside hosts should use the ASA's address (in their vlan) as their default gw.
BTW I can't guarantee that the above config changes are complete, but I hope it's clear what direction you should follow.
hth
Herbert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide