I have several questions with regards to our lan/vpn and i hope someone can answer them. We are in the process of changing our ip infrastructure. The network is buildup like this: ASA5520 - 3560 - Several 2950/2960.
-All ip's are in 192.168.0.x (DHCP on a windows server)
-VPN DHCP on the ASA gives out 192.168.254.0
-192.168.2.x VLAN 2 Clients
-192.168.3.x VLAN 3 Clients
-192.168.4.x VLAN 4 Servers (DHCP/AD/DNS on 192.168.4.6)
-192.168.5.x VLAN 5 Network (Network devices)
-192.168.254.x VPN Clients
Current VPN Configuration in the ASA:
access-list split extended permit ip 192.168.0.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.254.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.0.0 255.255.255.0
ip local pool pool-vpn-client 192.168.254.99-192.168.254.200 mask 255.255.255.0
ip local pool pool-vpn2-client 192.168.254.60-192.168.254.69 mask 255.255.255.0
-Default gateway for all devices will be the 3560 (is now ASA)
-IP routing / inter-vlan routing on the 3560
-IP address out of each range on the 3560
-DHCP helper on the 3560 to the DHCP server
-DHCP scope for each vlan on our windows server
Now my questions are (note: VPN is in the 192.168.254.0 range!):
1. Can i make a nat for 192.168.0.0/16 or do i need to define it per block (192.168.2.x etc)? Keep in mind that vpn uses 192.168.254.x
2. Do i need to define the VPN subnet on the 3560?
3. I presume i cannot use 192.168.0.0/16 on the ASA because of issues with the VPN route (192.168.254.0 goes Outside int)? This means i would have to make default routes on the inside for each subnet.
4. In the new VPN configuration i only changed DNS/WINS parameters, is this enough or am i missing something.
5. When we did some tests we got a VPN error 433, it seems isakmp nat-t should be able to solve this. Sadly we were unable to test it. I did put as default inside route 192.168.0.0/16 and as NAT 192.168.0.0/16, could this have caused that issue as well? Or do people see anything else that might be missing?
6. If the 3560 has 192.168.2.2 and 192.168.5.2 (5.x is the default network range for my network devices, asa has 5.1). Should i put the default gateway from clients in the 2.x range on 2.2 or on 5.2 and why?
So i hope you can help me understand these routing/nat/vpn issues a bit better.
Ps. I hope this is the right subforum cause it seems to be a bit of everything.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...