VPN traffic restriction between VLAN

Unanswered Question
Dec 8th, 2009
User Badges:

Greeting All,

I have a ASA connected to a swtich via DOT1Q trunk where i have vlan 10,20,100 configured on both switchs i`m using Vlan 100 for the remote user pool and i have my switch configured for intervaln routing so my issue is :

I have setup easy VPN for remote access but it seems i can`t access my internal ressources i can only ping my default GW on the switch however when i use my SSL VPN via the webbrowser i have full reachability to all my vlans

Can anyone please help why i can`t reach the rest of the vlan while i`m using my easy VPN connection


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Herbert Baerten Wed, 12/09/2009 - 11:48
User Badges:
  • Cisco Employee,

Seifeddine-Tlili wrote:

i have vlan 10,20,100 configured on both switchs i`m using Vlan 100 for the remote user pool and i have my switch configured for intervaln routing so my issue is :

I'm not sure if I understand your description correctly but I think what you need to do is remove the vlan100 interface from the switch. The switch needs to send traffic destined for the clients to the ASA.



Seifeddine-Tlili Wed, 12/09/2009 - 11:57
User Badges:

Hi Herbert

Thanks for your reply actually if i remove vlan 100 from my switch it will be also be removed from my trunk link!!! so vlan 100 now are like isolated can you please correct me if i`m wrong


the link is trunk and vlan 10,20,100 are allowed in the trunk if all vlan are properly configured in both devices

Removing vlan 100 means remeving it from the trunk link so no communication between the rest of the vlans !!

thanks for your help i appreciate it

Herbert Baerten Wed, 12/09/2009 - 12:09
User Badges:
  • Cisco Employee,

What I was trying to say is that the ezvpn pool should be a range of addresses that the switch routes to the ASA, so the switch should not have an interface in this network.

So if vlan 100 is also used for something else, then keep it but use another range of addresses for the pool.

If vlan 100 is not used for anything else, just remove it.

If it's still not clear, would you mind posting your configs (of the switch and the ASA) here?

Herbert Baerten Wed, 12/09/2009 - 23:54
User Badges:
  • Cisco Employee,

Not sure what you are trying to achieve here - either you're doing something very unusual, or you're overcomplicating things

IMHO it does not make sense to have an ASA interface in each vlan *and* a L3 interface in each vlan on the switch.

So the question is: do you want the switch to do the inter-vlan routing (so there is no access control between them) or the ASA (so you can specify which traffic is allowed between vlans).

If the switch is to do the inter-vlan routing, then you don't need an ASA interface in each vlan, so you don't even need the trunk, just use one vlan to interconnect the ASA and the switch, eg. vlan12:

interface Ethernet0/0
description INSIDE_UL_LAB
security-level 90
ip address
no interface Ethernet0/0.2
no interface Ethernet0/0.10
no interface Ethernet0/0.12
no interface Ethernet0/0.100





no nat (VLan_2) 1

and since you have already in use on the inside, use a different range for the pool:

no ip local pool VLAN_11 mask

ip local pool ezvpn-pool mask

group-policy ULMLT attributes
  address-pools value ezvpn-pool

If on the other hand, you want to control access between the vlans, then keep the asa config and remove the L3 interfaces on the switch:

no interface Vlan2
no interface Vlan10
no interface Vlan12

In the former case, inside hosts should use the switch' address (in their vlan) as their default gw.

In the latter case, inside hosts should use the ASA's address (in their vlan) as their default gw.

BTW I can't guarantee that the above config changes are complete, but I hope it's clear what direction you should follow.




This Discussion

Related Content