Inter VLAN routing and access to two differrent subnets via VPN

Unanswered Question
Jun 29th, 2010

Hello,

please see attached network diagram.

There are two subnets, first 192.168.8.0/24 it is VLAN1 and second  192.168.10.0/24 it is VLAN10.

Now I can reach internet from both subnets without problem. I also have isolated this networks so that VLAN1 cannot reach VLAN10.

Last task what I would like to make is access to both network via PPTP VPN.

Now I have configured PPTP VPN  on PIX. There is pool of ip addresses what are assigned to clients when they connect to VPN. You can get 192.168.8.10-20/255.255.255.255 address.

Client is able to connect for example via RDP to all server in subnet 192.168.8.0/24 but he is not able to reach subnet 192.168.10.0/24 via VPN.

Do you have any idea how to configure PIX or switch to reach both subnets via PPTP VPN?

Could somebody help me with this?

Thank you very much for suggestions.

Jan :-)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Tue, 06/29/2010 - 10:25

Jan,

You're probably going to need to post your config for the pix. Generally, the pix is going to need to know how to get to the two subnets. If the inside interface is on the 192.168.8.0/24 subnet, but it doesn't know about the 192.168.10.0 subnet, then that's where your problem lies. You'd need to have a static route on your PIX like:

route inside 192.168.10.0 255.255.255.0 192.168.8.x

Although, there can be a multitude of reasons you can't see it like the acl that's applied to the vpn clients when they authenticate, a natting issue, etc.

HTH,

John

Eric Boadu Tue, 06/29/2010 - 10:36

Blackley is correct and you should route that subnet inside your firewall to your L-3 switch IP address.

Example: route inside 192.168.10.0 255.255.255.0 (your L-3 switch IP addy)192.168.8.x. Let say your switch IP is 192.168.8.1

route inside 192.168.10.0 255.255.255.0 192.168.8.1

Hope this help.

Eric

Jan Rolny Tue, 06/29/2010 - 11:19

Hi John,

I already tried to add static route ´route inside 192.168.10.0 255.255.255.0 192.168.8.1´ but it doesnot works.

Here is my truncated running-config:

:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ****** encrypted
passwd ***** encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names

access-list outside_access_in permit icmp any host 88.103.x.x echo
access-list outside_access_in permit icmp any 88.103.x.x 255.255.255.0 echo-reply
access-list outside_access_in permit tcp any host 88.103.x.x object-group Exchange
access-list outside_access_in permit tcp any host 88.103.x.x object-group Kaspersky log
access-list outside_access_in permit tcp any host 88.103.x.x object-group onebridge
access-list outside_access_in permit tcp any host 88.103.x.x object-group memova
access-list outside_access_in permit tcp host CP_Support host 88.103.x.x eq ssh
access-list outside_access_in permit tcp host SMS host 88.103.x.x eq ssh log
access-list outside_access_in permit tcp any host 88.103.x.x object-group Afaria
access-list outside_access_in permit tcp host Scs_clx host 88.103.x.x eq 3868 log
access-list outside_access_in permit tcp any host 88.103.x.x object-group http-https
access-list outside_access_in permit tcp any host 88.103.x.x object-group http-https


access-list inside_outbound_nat0_acl permit ip any 192.168.8.0 255.255.255.224

pager lines 24
logging on
logging timestamp
logging console debugging
logging monitor informational
logging buffered debugging
logging trap debugging
logging facility 23
logging host inside VRT155
mtu outside 1500
mtu inside 1500


ip address outside 90.18x.x.x 255.255.255.248
ip address inside 192.168.8.1 255.255.0.0


ip audit info action alarm
ip audit attack action alarm
ip local pool Pool-Test 192.168.8.10-192.168.8.20

pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 88.103.x.x 192.168.8.200 netmask 255.255.255.255 0 0
static (inside,outside) 88.103.x.x 192.168.8.8 netmask 255.255.255.255 0 0
static (inside,outside) 88.103.x.x 192.168.8.50 netmask 255.255.255.255 0 0
static (inside,outside) 88.103.x.x 192.168.10.250 netmask 255.255.255.255 0 0
static (inside,outside) 88.103.x.x 192.168.10.210 netmask 255.255.255.255 0 0
static (inside,outside) 88.103.x.x 192.168.10.220 netmask 255.255.255.255 0 0
static (inside,outside) Good 192.168.10.125 netmask 255.255.255.255 0 0


access-group outside_access_in in interface outside


route outside 0.0.0.0 0.0.0.0 90.183.231.49 1


timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
ntp server 194.228.x.x source outside prefer
http server enable
http Lgs-Net 255.255.255.240 outside
http 192.168.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss minimum 48
sysopt connection permit-ipsec
sysopt connection permit-pptp

ssh Lgs-Net 255.255.255.240 outside
ssh Eur-Net 255.255.0.0 outside
ssh 192.168.8.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local Pool-Test
vpdn group PPTP-VPDN-GROUP client configuration dns EXCH
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username usr1 password *********
vpdn username usr2 password *********
vpdn username usr3 password *********
vpdn username usr4 password *********
vpdn username usr5 password *********
vpdn username usr6 password *********
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside

terminal width 80

Regards,

Jan

John Blakley Tue, 06/29/2010 - 11:24

´route inside 192.168.10.0 255.255.255.0 192.168.8.1´

The  above "192.168.8.1" is your firewall, so that wouldn't work. It should be:

route inside 192.168.10.0 255.255.255.0 192.168.8.2

I'm assuming that 192.168.8.2 is the VLAN 1 interface on the switch?

John

Jan Rolny Tue, 06/29/2010 - 11:40

I am not sure about this, it also does not works :-(

I think I will have to configure L3 switch to be able to route 8.0 network to 10.0 net. Now I have routing disable on switch.

When I will enable ip routing on L3 switch so this two networks will not be isolated and there will be all machines reachable.

BUT I would like to access to both networks via VPN. Reason is that 10.0 network would be LAB net for customers . They will access to this network via internet (RDP enabled) to try some products.

So for security reasons I would liek to isolate this two networks for customers but not form me when I am accessing via VPN :-)

Maybe little bit complicated.

Jan

John Blakley Tue, 06/29/2010 - 11:49

Jan,

I didn't realize you didn't have routing on the switch. Can something in the .10.x subnet on the inside of the switch get on the internet? You will need to enable routing on the switch if it's L3. Your traffic will come in on vlan 1 from the pix, and it will need to be able to route to vlan 10. Otherwise, I don't think your design is going to work without subinterfaces (which you can't do on a PIX (that I'm aware of).)

So here's what I would do:

I would change what IP addresses you're handing out on the VPN to a different subnet. (192.168.3.0/24 for example.)

Enable routing on your switch.

Add a static route, supposing that you take my suggestion on changing addressing for the outside, to the switch like:

ip route 192.168.3.0 255.255.255.0 192.168.8.1

On your vlan SVI for vlan 10, deny traffic from 192.168.10.0:

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 100 permit ip any any

int vlan 10

ip access-group 100 in

If you don't want vlan 1 to get to vlan 10:

access-list 101 deny ip 192.168.8.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip any any

int vlan 1

ip access-group 100 in

You'll still need your inside route on the pix for 192.168.10.0:

route inside 192.168.10.0 255.255.255.0 192.168.8.2

Both should be able to get to 192.168.3.0/24.

John

**** Please rate helpful posts ****

John Blakley Tue, 06/29/2010 - 11:55

I also noticed that you had this as your inside address:

ip address inside 192.168.8.1 255.255.0.0

You should change your mask to 255.255.255.0, but you need to make sure that mask is on your vlan 1 subnet as well.

John

Jan Rolny Thu, 07/01/2010 - 02:36

Hi Jonh,

thank you for help.

First I have to plan when to change VPN pool and test it if it will work.

So I decided to make changes in ACL on switch.

I have tried this access list and it denies all traffic from 192.168.10.0 als traffic what is initiadet from 192.168.8.0 network

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 100 permit ip any any

int vlan 10

ip access-group 100 in

I found that I can deny all traffic from .10.0 and permit traffic established from another network like .8.0

so simple ACL rule is

access-list 100 permit tcp any any established

this will deny all traffic from .10.0 network because of default deny rule at the end and permit all traffic from initiated network.

So i can bypass issue with VPN and routing what still does not work and I can RDP through VPN to .8.x machine and from this machine I can RDP to any .10.x machine.

This will be simplest solution for this moment  :-)

Thank you for your investigation.

Best Regards,

Jan.

Actions

This Discussion