Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1051
Views
0
Helpful
5
Replies

VPN traffic restriction between VLAN

Seifeddine-Tlili
Level 1
Level 1

‎12-08-2009 03:01 PM

Greeting All,

I have a ASA connected to a swtich via DOT1Q trunk where i have vlan 10,20,100 configured on both switchs i`m using Vlan 100 for the remote user pool and i have my switch configured for intervaln routing so my issue is :

I have setup easy VPN for remote access but it seems i can`t access my internal ressources i can only ping my default GW on the switch however when i use my SSL VPN via the webbrowser i have full reachability to all my vlans

Can anyone please help why i can`t reach the rest of the vlan while i`m using my easy VPN connection

Thanks

Labels:
0 Helpful
5 Replies 5

Herbert Baerten
Cisco Employee
Cisco Employee

‎12-09-2009 11:48 AM 

Seifeddine-Tlili wrote:
i have vlan 10,20,100 configured on both switchs i`m using Vlan 100 for the remote user pool and i have my switch configured for intervaln routing so my issue is :

I'm not sure if I understand your description correctly but I think what you need to do is remove the vlan100 interface from the switch. The switch needs to send traffic destined for the clients to the ASA.

hth

Herbert

0 Helpful

Seifeddine-Tlili
Level 1
Level 1
In response to Herbert Baerten

‎12-09-2009 11:57 AM

Hi Herbert

Thanks for your reply actually if i remove vlan 100 from my switch it will be also be removed from my trunk link!!! so vlan 100 now are like isolated can you please correct me if i`m wrong

ASA------3570

the link is trunk and vlan 10,20,100 are allowed in the trunk if all vlan are properly configured in both devices

Removing vlan 100 means remeving it from the trunk link so no communication between the rest of the vlans !!

thanks for your help i appreciate it

0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee
In response to Seifeddine-Tlili

‎12-09-2009 12:09 PM

What I was trying to say is that the ezvpn pool should be a range of addresses that the switch routes to the ASA, so the switch should not have an interface in this network.

So if vlan 100 is also used for something else, then keep it but use another range of addresses for the pool.

If vlan 100 is not used for anything else, just remove it.

If it's still not clear, would you mind posting your configs (of the switch and the ASA) here?

0 Helpful

Seifeddine-Tlili
Level 1
Level 1
In response to Herbert Baerten

‎12-09-2009 02:15 PM

Greeting Herbert,

I actually used the GUI to set the VPN connection but here is the CLI outputs :

36641-LAB008.txt.zip
0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee
In response to Seifeddine-Tlili

‎12-09-2009 11:54 PM

Not sure what you are trying to achieve here - either you're doing something very unusual, or you're overcomplicating things

IMHO it does not make sense to have an ASA interface in each vlan *and* a L3 interface in each vlan on the switch.

So the question is: do you want the switch to do the inter-vlan routing (so there is no access control between them) or the ASA (so you can specify which traffic is allowed between vlans).

If the switch is to do the inter-vlan routing, then you don't need an ASA interface in each vlan, so you don't even need the trunk, just use one vlan to interconnect the ASA and the switch, eg. vlan12:

interface Ethernet0/0
description INSIDE_UL_LAB
nameif INSIDE_LAB_MAIN
security-level 90
ip address 172.16.12.100 255.255.255.0
!
no interface Ethernet0/0.2
no interface Ethernet0/0.10
no interface Ethernet0/0.12
no interface Ethernet0/0.100

route INSIDE_LAB_MAIN 172.16.2.0 255.255.255.0 172.16.12.1

route INSIDE_LAB_MAIN 172.16.10.0 255.255.255.0 172.16.12.1

route INSIDE_LAB_MAIN 172.16.11.0 255.255.255.0 172.16.12.1

nat (INSIDE_LAB_MAIN) 1 172.16.11.0 255.255.255.0

no nat (VLan_2) 1 172.16.11.0 255.255.255.0

and since you have 172.16.11.0 already in use on the inside, use a different range for the pool:

no ip local pool VLAN_11 172.16.11.200-172.16.11.250 mask 255.255.255.0

ip local pool ezvpn-pool 172.16.13.200-172.16.13.250 mask 255.255.255.0

group-policy ULMLT attributes
  address-pools value ezvpn-pool

If on the other hand, you want to control access between the vlans, then keep the asa config and remove the L3 interfaces on the switch:

no interface Vlan2
no interface Vlan10
no interface Vlan12

In the former case, inside hosts should use the switch' address (in their vlan) as their default gw.

In the latter case, inside hosts should use the ASA's address (in their vlan) as their default gw.

BTW I can't guarantee that the above config changes are complete, but I hope it's clear what direction you should follow.

hth

Herbert

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents