I don't know if this is the right forum to put this on, but this will get me started.
I have an existing network that has 3 remote locations that are connected with a VPN using the PIX 506e Firewall running PIX Version 6.3(3). The network scheme is 192.168.B.xxx/24, where B = branch number. 1 = HQ, 2 = B2, 3 = B3, 4 = B4. Branches 2 & 4 are at the same location and going through the same PIX in the VPN. The PIX's are the default gateway for the networks right now. They are taking care of the static routing between the stores. My NAT is (nat (in) 1 0 0, glo (out) 1 interface). I have the Business System at HQ with the IP of 192.168.1.1/24, which all of the locations talk to right now.
I created a VLAN scheme that will separate the departments at (HQ) Branch 1 using the Cisco's (1) 3550 layer 2/3 switch and using port 1 for the routing port that will connect to the PIX with a /30 scheme and (2) 2960 switches that are all trunked. It has 6 VLANs. To save time we'll say the IP scheme is 10.215.D.xxx/24. Where D = Department number 1 - 5 and VLAN 6, 192.168.1.xxx/24 for the business system and its devices.
I wanted to check with some people before I install the VLAN, so when I'm installing the equipment and changing the IP scheme if I hit a bum I don't have to reconfigure back to the old configuration because of some small detail I didn't think of. So, I thought I would ask for some advice. What I'm most concerned about is the routing / VPN between the locations, and everyone talking to one another.
For the Firewall I don't think that I have to do anything to the ACL because the VPN tunnel is still seeing the 192.168.1.xxx network that was already on the PIX because the VLAN and the 3550-layer 2/3 port 1 is the routing port and will find it in the routing table, correct? But if I want the other location to connect to say the 10.215.2.xxx network I will have to place the route on the PIX at the locations.
The only thing that I'm thinking is that if I wanted the other network to talk to the VLANs I would have to add then to the ACL with a permit. I think this is all I would have to add to the PIX to allow them to talk to one another. Of course I will have to reorder my ACL.
HQ # Access-l 100 permit ip 192.168.2.0 255.255.255.0 10.215.2.0 255.255.255.0
Br2# Access-l 100 permit ip 10.215.2.0 255.255.255.0 192.168.2.0 255.255.255.0
I will have to change the inside address to /30.
Is there anything other than that I would have to do in order for the VLANs to work and keep the networks functional?
I think you need to take care of some aspects such as:
1.- Routing to/from the sites towards those new VLANs.
2.- ACL on the firewalls to allow access to/from the sites towards the new VLANS.
3.- This is critical .. You also need to make sure that your VPN configuration to/from those sites towards the new VLANS are including those extra ranges. If you don't add them to the access-list you are using for identifying the IPsec interesting traffic .. then you will have problems trying to communicate with those new VLANs over the IPsec tunnel.
4.- The above point also relates to making sure that you are BY-PASSING nat for the above traffic so that source IP addresses remain unchanged when communicating to/from sites over the VPN.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...