Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
270
Views
0
Helpful
1
Replies

VPN and VLANs

t.pieters
Level 1
Level 1

‎07-10-2008 01:49 AM - edited ‎02-21-2020 02:55 AM

Hi folks,

I need your assistance on this...

We are using a PIX 515e firewall on the edge of our network.

Behind it a network, separated into VLANs (VLAN x has IP addresses

10.0.x.0/24 with x=11 to 17). Routing between VLANs is performed by

a layer-3 routing switch which is directly connected to the PIX, untagged in

VLAN 13 (IP address 10.0.13.254). Default gateway for network hosts

is the IP address of the routing switch in the VLAN, which the host

belongs to (i.e. 10.0.x.1 with x=11 to 17). Default route on the routing

switch points to the PIX, the PIX has routes back to the routing switch

for each of the IP ranges 10.0.x.0/24.

Now, recently, in came the remote access VPN capability of the PIX:

some users require access to the lan from their homes. Now i wanted to

"extend" the IP ranges defined by the VLANs over the VPN, meaning:

a user whose computer resides in VLAN x when he/she's in the office

(i.e. the host will have an IP address in 10.0.x.0/24) should receive

an IP address in 10.0.x.0/24 for the home workstation as well, once

the VPN tunnel is set up. The VPN should extend the LAN to the home

in its broadest sense, i.e. apart from the user setting up the tunnel with

the VPN client, the LAN should be fully transparent from home and

the home user's perception should be as if he/she were in the office.

Now i'm far from an expert in this matter, hence this post...

Can this be achieved with the above preliminaries (for other subnets than

10.0.13.0/24 as well)? How do i tackle this (also if not possible with the

above assumptions)? Can i use DHCP? Do i need to tag the link between the routing switch and

the PIX on all VLANs (in that case, assuming i want the routing switch to

keep doing the routing, how do i configure the routing on the routing switch

and on the PIX)?

Thanx in advance for your replies,

Tim

0 Helpful
1 Reply 1

andrew.prince
Level 10
Level 10

‎07-10-2008 06:15 AM

Tim,

An easy way I can think of - is create specific VPN profiles per user group/vlan.

A harder more central way is using a RADIUS server to send configuration attributes based on the user.

Just my opinion.

HTH.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card