IP and VIP adresses temporary on different subnets

I was wondering if it's possible to add a third node temporary on a different subnet ?
I mean.. now my two nodes have these IP: XXX.XXX.0.5 and XXX.XXX.0.6 , VIP are: XXX.XXX.7.15 and XXX.XXX.7.16
Is it possible to add a third node with IP YYY.YYY.0.7 and VIP YYY.YYY.7.17 ?
Of course they can ping each other and successfully use ssh equivalence...
Thanks.

Unfortunately not, the nature of the way VIPs work means that that must be on the same subnet throughout the cluster

Similar Messages

CSM Is it possible to have the vserver (VIP) IP in a different subnet range

CSM - Is it possible to have the vserver (VIP) IP in a different subnet range than the real IP addresses in the serverfarm that is bound to it?
In other words, as an example a typical bridge configuration is like this:
vlan 221 client
ip address 10.20.220.2 255.255.255.0
gateway 10.20.220.1
vlan 220 server
ip address 10.20.220.2 255.255.255.0
<<<<<<<<<<<<Two VLANs with the same IP address are bridged together>>>>>>>>>>>>>>>>>.
serverfarm WEBFARM
nat server
no nat client
real 10.20.220.10
inservice
real 10.20.220.20
inservice
vserver WEB
virtual 10.20.220.100 tcp www
serverfarm WEBFARM
persistent rebalance
inservice
==================================================================================
NOW:
=====
Is it possible to do something like this:
==================================================================================
vlan 221 client
ip address 10.20.220.2 255.255.255.0
gateway 10.20.220.1
vlan 220 server
ip address 10.20.220.2 255.255.255.0
<<<<<<<<<<<<Two VLANs with the same IP address are bridged together>>>>>>>>>>>>>>>>>.
serverfarm WEBFARM
nat server
no nat client
real 10.20.220.10
inservice
real 10.20.220.20
inservice
vserver WEB
virtual 50.40.220.99 tcp www <<<<<<<<<< Place the IP address in a different subnet than the IP's in the serverfarm >>>>>>>>>>>>>>>
serverfarm WEBFARM
persistent rebalance
inservice
<<<<<<<<On the MSFC place a static route to route the 50.40.220.99 address towards the CSM IP on vlan 221>>>>>>>>>.
ip route 50.40.220.99 255.255.255.255 10.20.220.2
Please if somebody knows if this is or is not possible it would be highly appreciated to hear your feedback.

Pointers to examples - much appreciated.

Seed mailbox database copy through replication network (DAG members on different subnets in different sites)

Good afternoon
I currently operate a two node DAG in our primary site supporting one mailbox database. I plan to introduce a third DAG node in our datacenter which is in a different Active Directory site. Both current DAG members replicate over a dedicated replication
network to keep the traffic separate from the MAPI traffic. The third DAG member will also have a dedicated replication network adapter (of course, on a different subnet). Ideally I would like to seed the database at a time of my choosing, rather than at the
moment I add the mailbox database copy (I know how to achieve this), but I would like to specify which network the data replicates over.
According to the following (see below link) under the 'Seeding and Networks' section as my two DAG members will be on different subnets in different sites Exchange will make the decision to use the MAPI network adapters of the target and source server.
'If the source server and target server are on different subnets, even if a replication network that contains those subnets has been configured, the client (MAPI) network will be used for seeding.'
http://technet.microsoft.com/en-us/library/dd335158%28v=exchg.150%29.aspx
Am I able to force Exchange to use the replication network adapters of both source and target server when I initiate the seeding process? I have a 200+ GB mailbox database that will need to replicate over a 100Mbps internet connection to our secondary
site and I would like to keep that traffic to the replication network I have configured.
Any insight would be helpful.

Hi,
If you want to specify the networks for seeding, you can use the
Network parameter when running the
Update-MailboxDatabaseCopy cmdlet and specify the DAG networks that you want to use.
If you don't use the Network parameter, then the system uses the following default behavior for selecting a network to use for the seeding operation:
If the source server and target server are on the same subnet and a replication network has been configured that includes the subnet, the replication network will be used.
If the source server and target server are on different subnets, even if a replication network that contains those subnets has been configured, the client (MAPI) network will be used for seeding.
If the source server and target server are in different datacenters, the client (MAPI) network will be used for seeding.
So please use the Update-MailboxDatabaseCopy cmdlet with
NetWork parameter to specify which DAG network should be used for seeding.
Best regards,
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Belinda Ma
TechNet Community Support

File Server Migration from 2008 Standard to 2012 Standard accross different subnet

Hi
Im going to migrate File server from Windows 2008 Standard server to Windows 2012 Standard . Source and Destination Servers are on different subnets . According to this
http://technet.microsoft.com/en-us/library/jj863566.aspx I cannot use Server migrations tool in-built into 2012 . Im not sure if I can use file server migration toolkit 1.2?.
Also my Domain controllers are mixture of Windows 2003, 2008 , 2008 R2 and I've upgraded the schema level to 2012 R2 . Is there anything else I need to be aware of ?
Can anyone please recommended best way to go about doing this migration . Is file server migration toolkit 1.2 is compatible ? .
Only reason I don't want to use Robocopy to this is because If I miss a small setting etc then I will face unwanted downtime.
I presume Migration toolkit will also create all the Quotas etc on the destination server .
Thanks
mumtaz

Hi mumtaz,
We could use file server migration toolkit 1.2 to migrate file server between the two subnets. In order to maintain security settings after the migration, please ensure the security of files and folders after they are migrated to a target file server, the File
Server Migration Wizard applies permissions that are the same as or more restrictive than they were on the source files and folders, depending on the option you select.
In the meantime, quota cannot migrate by this tool but we can export and import the quota using dirquota command. Export the templates as xml and then import to new server:
dirquota template export /file:C:\test.xml
dirquota template import /file:C:\test.xml
For more detailed information, please see:
Template Export and Import Scenarios
http://technet.microsoft.com/en-us/library/cc730873(WS.10).aspx
Regards,
Mandy
If you have any feedback on our support, please click
here
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Can VIP and Rservers be in the same subnet in ACE Routed Mode

Good Day,
Sorry for the lengthy post.
Currently I have a 6509s running in VSS mode with ACE30 in each chassis.
I have 5 vlans, which the VSS is the L3 interface for each. 1 Vlan is for management, the others are the data vlans for the servers.
The ACE is configured in bridge mode, with all VLANs going to a specific context (non Admin).
Some of the Host on each VLANs are not utilized for load-balancing. The default gateway for each VLAN is configured on the VSS.
I would like to setup the ACE in the routed mode, without having to change the IP address of each servers on different VLANs.
Basically I want to turn off the SVIs on VSS and move the L3 interface on the ACE Context, and let it perform the local routing for all the hosts.
I was going to add a new /30 L3 interface between the VSS and ACE to be utilized for default route traffic coming from the ACE Context, and static routes from VSS to ACE for traffic destined to host that are being load-balanced and not being load-balanced. Basically force the traffic through the load-balancer in/out.
For future deployment, I was planning on using different IP address for the VIPs, and Real servers (most likely RFC 1918).
From most of the examples I have seen the VIP and Rservers are in different Subnets. But because I am trying to not change the IP address of the rservers and VIP, I wanted to know if the VIP and Rservers can be configured to be in the same subnet where the ACE is in routed mode.
Unfortunately I don't have a spare ACE to test scenario.
As always any help would greatly be appreciated.
Regards,
Raman

Link-local addresses are usually the self assigned IP address that a device will set when a DHCP server cannot be found. These are the addresses with 169.254.x.x subnet.
If the router is assigning IP addresses for your network, then they will usually have a different IP subnet, possibly 192.168.0 for D-Link. And this subnet would be for the wired and wireless connections. So it would be more a case of bridging the two network topolgies rather than routing them.
The network host is busy message could be more to do with the driver and the IP protocol selected when creating the queue than the connection being broken between the Mac and printer. If you were to open Network Utility and select the Ping tab, enter the IP address of the HP and set the pings to 4, pressing the Ping button will soon show if there is a path through the wireless to the printer.
If you get a response to the ping you could then open Safari and type the ip address as the URL. This would then connect to the internal web page of the printer and possibly let you enable an IP protocol like LPR so that you can use LPD on the Mac instead of Bonjour to connect to the printer.
As for the driver, you could look at using a Gutenprint driver instead of the HP driver or the hpijs package to get past the limitations that some printer drivers have with network connections.

Multiple VIPs in Different Subnets

Is there any way to setup the CSS with VIPs in different subnets. If we were using an inline configuration, I don't see how this would be possible.
Let's assume three subnets A, B, and C. We would like to have a VIP in subnet A pointing to all the web servers in subnet A. Same for subnets B and C.
I guess we could configure a trunk port with a CIRCUIT interface in each of the subnets A, B, and C. This would allow clients to route to the VIP in each subnet. My concern is the return traffic. With only one default route in the CSS, all return traffic would traverse one CIRCUIT interface. Am I correct, or am I misunderstanding something?
Thanks!
Tom

I believe you are correct. We have practically the same scenario working here. I have a /29 allocated to the front-end of the CSS and the upstream HSRP routers (call that vlan 10). Then I have multiple subnets for backend servers behind the CSS setup as an 802.1q trunk vlans (call them VLAN 100, 101, 102, etc). I route for those subnets belonging to VLANs 101, 102, etc on the upstream routers to point to the VRRP address of the CSS (the VRRP address of the CSS in VLAN 10). I also route whatever IP used as a virtual to the CSS VRRP address as well. So my upstream routes will have routes to the VIPs and the backend VLANs all pointing to the CSS's VRRP address.
Casey

ACE - VIP address on different subnet

Hello,
Is it possible to configure a VIP address that is different from the VLAN subnet where it is applied on?
Fe:
VIP is 10.10.10.1/24 on VLAN 10
Interface of ACE in VLAN 10 is 192.168.1.1/24
On the upstream routers, a static route points to the VIP address (subnet) with next-hop the ACE address?
Thanks.

Unfortunately I dont have a test environment either to verify this.
I dont think you will see arp entries as the address doesnt belong to an interface.
You should see the VIPs active (sh service policy detail) for these non-interface VIPs.
If those are active then I think once client request hits the ACE it should take care of it.
I have deployed such solution with FWSM (no VIPs there but used Natted addresses not belonging to any attached interface ) and as per that experience I think it should work.
But yes you need actual clients to test this scenario.
Syed

Management and AP Manager on Different Subnets ...

Hello,
I am getting ready to implement a WLAN where the customer has designed the Management and AP Manger to be on different subnets. I have never done a WLAN implementation in this manner because per Cisco's config guide it states ...
"The AP-manager interface’s IP address must be different from the management interface’s IP address and may or may not be on the same subnet as the management interface. However, Cisco recommends that both interfaces be on the same subnet for optimum access point association."
So, I have always followed this recommendation and have always made the 2 interfaces be in the same subnet with IP's in sequential order. The config guide does say it'll work but I am just not sure what if anything do I have to do for this to work properly ... or if there is really a difference on how the process works doing it either way.
I plan on using LAG with Layer 3 ... most times I place the APs in the same wireless subnet/vlan as the management interface and AP manager but in this case or until I get more info it looks like they all may be in different subnets. So, if that's the case would I just need to use the Option 43 so the APs can find the WLC and if that is the case would I put the AP Manager IP or still use the WLC IP ... guess I would have that same question if I went the DNS route? Or do I still use the WLC IP address for the APs to join and at that point the AP Manager would take over the LWAPP communications?
Thanks for all your help in advance!

You should be using the WLC Management IP as documented in "Cisco 440X Series Wireless LAN Controllers Deployment Guide". Below is quoted from that document.
"The IP address of the WLC Management Interface should be used for Option 43 and DNS resolution of
CISCO-LWAPP-CONTROLLER.localdomain." For further information, see the section on "Understanding
Deployment Basics" beginning on page 13. Detailed information on using vendor specific DHCP Option 43
for WLC discovery is included in Appendices C, D, and E of this document.
Also there is no issue having the AP Manager and Management interfaces in different vlans although not recommended, just be sure to allow both vlans across the trunk to the WLC. I would also recommend placing your APs in different vlans than the WLC Mgmt/AP Mgr vlan. Cisco recommends having no more than 60-100 APs per vlan to minimize re-association problems in case of network failure.

WLC and AP on different subnets

I would like to add a new AP to my existing controller. Currently i have about 15 AP's connected to a seperate mgt vlan for the AP's, vlan 10. It is trunked to the controller as well as the other user vlans like Private, Public, WVoIP etc. I have already started to implement EIGRP network wide instead of having a large layer 2 vlan'd network. At one of the newest locations i'm routing at, i have a new AP to connect. I'm trying to make sure this design will work before i implement it. So, i have a 3560 connected to my core 4506 with a layer 3 connection. EIGRP running as well. I plan to have the 3560 do intervlan routing with a voice vlan, data and wireless. The problem i see is how can i get the AP to talk with the controller since they are on a different subnets, over a metro E "WAN"? Any suggestions would be great.

As long as the LAP's have been primed locally first, that LAP will have the ip address of the WLC. If you want to attach the LAP to a different L3 subnet, then configure ip helper-address using the management ip of each wlc. then configure ip forward-protocol udp 12222 & ip forward-protocol udp 12223 globally on the L3 router. this along with the ip helper, will allow the LAP's to join the WLC on the other end.

Can i change the current email adress with a different one and still keep my purchases?

can i change the current email adress with a different one and still keep my purchases?

You can change your email address as much as you want in your support profile: https://supportprofile.apple.com/
Purchases are linked to your Apple ID, not your email address. They are not necessarily identical.

Management and native Vlan in different subnet??

Can i have a management ip and native vlan in different subnet on a AIR-1242 and 2960 switch?
Native on Switch = 1.
Interface vlan 100 = 10.10.1.25X /24
BVI ip in vlan 100 = 10.10.1.25X /24
-HM-

Hi,
Thanks for the update..
Ok in short YES this can be done.. here is the AP configuration..
Step 1>> Configure the SSID and map it with respective Vlans..
Step 2>> Create the sub interafce int dot11 0.5 / int fa 0.5 (encapsulation dot1q 5 , bridge-group 5)and int dot11 0.6 / int fa 0.6(encapsulation dot1q 6 , bridge-group 6)
Step 3>> Create the sub interface 0.100 for both Radio and Fa and under this (encapsulation dot1q 100 native , bridge-group 1)
Step 4>> Make sure all the interafces are up and running and Try to ping the VLAN 100 interafce ip addr from the AP to verify.
lemme know if this answered your question..
Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

Multiple RAC databases on same GI using different subnets for Public i/face

Hello. We are configuring a 2 node cluster. That cluster will host several RAC databases. For security reasons our networking team want to create separate subnets for the application traffic to each specific RAC database on the cluster.
E.g. application 1 has 2 application servers that will connect to RAC database PROD1 via one subnet, application 2 has 3 application servers that will connect to RAC database PROD2 via a different subnet, etc.
In addition the networking team want to configure a separate management subnet that DBAs etc. will use to administer all RAC databases and infrastructure in the cluster.
Grid Infrastructure version 11.2.0.2. Database versions will vary from 10.2.0.x to 11.2.0.2. All databases will utilise RAC.
We want to take advantage of SCAN listener functionality to support connectivity to all databases on the cluster. Forum thread 2199620 [https://cn.forums.oracle.com/forums/thread.jspa?threadID=2199620] suggests that 11gR2 supports multiple subnets, which looks to be exactly the feature we need. Please can you confirm how this works and point us to any documentation (standard docs, white papers, MOS, etc.) that might help us configure this.
Document referenced in thread 2199620 was not exactly what we were looking for, and didn't translate too well in Google Translate.
Any guidance much appreciated. Thanks, Rich.
Similar threads:
https://cn.forums.oracle.com/forums/thread.jspa?messageID=9846298? (Dual SCAN on multi homed cluster)
https://cn.forums.oracle.com/forums/thread.jspa?threadID=2199620 (scan listener in OAM VLAN)
Edited by: 887449 on 26-Sep-2011 01:41

Thanks Levi. Your advice is very much appreciated.
Your statement that we can only have one SCAN listener listening on one public network is actually the clarification I was looking for.
For anyone else reading this thread I believe this gives us 3 options:
1) Configure a SCAN listener and have all applications, and all management/administration, connecting to the corresponding database on the same cluster via that SCAN listener, all on the same subnet.
2) Configure a SCAN listener for use by all applications connecting to the corresponding database on the same cluster, and use TNSNAMES/VIP for management/administration traffic, both on separate subnets (by configuring the LISTENER_NETWORKS parameter)
3) Configure a SCAN listener for use by applications connecting to one of the databases on the cluster via one subnet, use TNSNAMES/VIP for all other applications connecting to other databases, each using their own subnet. Plus, the management/administration could be via another subnet utilising TNSNAMES/VIP.
From our perspective we will work out the best one for us and implement accordingly.
Thanks again for your timely and comprehensive response.

How do I load balance TFTP between two servers and a client on the same subnet?

Hi,
I have trawled through several documents and tried umpteen different configs, all to no avail. I have a PXE boot client trying to access a boot file via TFTP from a couple of TFTP servers on the same VLAN/subnet. For HA purposes I want to load balance the two TFTP servers.
Config is currently;
=====
probe icmp ICMP_PROBE
description icmp probe for default gateway tracking
interval 5
passdetect interval 15
rserver host server1
description Server1
ip address 10.0.0.1
inservice
rserver host server2
description Server 2
ip address 10.0.0.2
inservice
serverfarm host serverfarm_01
description servers used
probe ICMP_PROBE
rserver server1
    inservice
rserver server2
    inservice
class-map match-all L4_VIP_TFTP
10 match virtual-address 10.0.0.10 udp eq 69
policy-map type loadbalance first-match L7_TFTP
class class-default
    serverfarm serverfarm_01
policy-map multi-match L4_LB_VIP_POLICY
class L4_VIP_TFTP
    loadbalance vip inservice
    loadbalance policy L7_TFTP
    loadbalance vip icmp-reply active
nat dynamic 1 vlan 200
interface vlan 200
ip address 10.0.0.250 255.255.255.0
nat-pool 1 10.0.0.241 10.0.0.243 netmask 255.255.255.255 pat
service-policy input L4_LB_VIP_POLICY
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.0.254
=====
I have read the doco by Ivan Kovacevic amongst many others but as my clients and servers are on the same subnet, the config doesnt work.
Can anybody point me in the right direction please. The devices are ACE 4710 running A3(2.3).
Thanks

Try using the following configuration:
Note: Please make sure to configure also a udp probe to probe udp port 69, in case the application is down.
You need to configure a management policy on the interface when using a UDP probe.
That is because, when port 69 on the server will be unreachable, the server will send an ICMP unreachable.
ACE will consider a udp probe as "failed" only when it sees ICMP unreachable.
Without a management policy-map, the ICMP unreachable message will be dropped.
Also, add an ICMP probe to the rserver because udp probe will not be enough when the physical interface will be down.
That is because UDP is a connection-less protocol. To consider a UDP probe successfull, ACE need to see NO answer from the server in respose to the probe.
The ACE will not see any answer from the server when the interface is down and thus, will consider the probe as "sucessful".
With ICMP probe attached to the rserver, you also test the reachability of the server and not only the UDP port.
Here is the configuration (of course, you can chage the names of the of the objects to the name you are using if you want) :
access-list ALL line 10 extended permit ip any any
probe udp TFTP
port 69
interval 5
passdetect interval 15
probe icmp ICMP_PROBE
interval 5
passdetect interval 15
rserver host TFTP_1
ip address 10.0.0.1
probe TFTP
probe ICMP_PROBE
inservice
rserver host TFTP_2
ip address 10.0.0.2
probe TFTP
probe ICMP_PROBE
inservice
serverfarm host TFTP-SFARM
rserver TFTP_1
    inservice
rserver TFTP_2
    inservice
sticky ip-netmask 255.255.255.255 address source TFTP-STICKY
timeout 10
replicate sticky
serverfarm TFTP-SFARM
class-map type management match-any MANAGE
2 match protocol icmp any
class-map match-all NAT
2 match virtual-address 0.0.0.0 0.0.0.0 udp any
class-map match-all TFTP
2 match virtual-address 10.0.0.10 udp eq 69
policy-map type management first-match MANAGE
class MANAGE
    permit
policy-map type loadbalance first-match ROUTE
class class-default
    forward
policy-map type loadbalance first-match TFTP-POL
class class-default
    sticky-serverfarm TFTP-STICKY
policy-map multi-match TFTP-MULTI
class TFTP
    loadbalance vip inservice
    loadbalance policy TFTP-POL
    nat dynamic 1 vlan 212
class NAT
    loadbalance vip inservice
    loadbalance policy ROUTE
    nat dynamic 2 vlan 212
interface vlan 212
ip address 10.0.0.250 255.255.255.0
no normalization
access-group input ALL
nat-pool 1 10.0.0.241 10.0.0.243 netmask 255.255.255.0 pat
nat-pool 2 10.0.0.10 10.0.0.10 netmask 255.255.255.0 pat
service-policy input TFTP-MULTI
service-policy input MANAGE
no shutdown
Let me know how it goes.
Good luck!

Hyperion Servers on Different Subnets

Our network engineers have designed a new scheme for our networkwhereby there will be different subnets for the web servers,application servers, and database servers. We are onHyperion System 9, our web server contains the Hyperion WASservices (planning, reporting, shared services, openldap, etc); ouressbase db and license server are on one database server, and SQLand the reports server (communications, scheduler, etc) are onanother server. In this new network scheme, the Hyperion webserver will be on a different subnet than the two database servers. Does anyone see any issues or know of any issues with thissetup? Thanks,Candy

Hi,
You can do this, but you have to use client-NAT (Source-NAT) to force the return traffic to pass back through the ACE. You also then need static routes in the ACE context to point at each server. PBR is an alternative approach but I have not implemented that in a live network. The important thing is that the ACE sees both sides of the conversation.
The following extract from a configuration shows the basic principle:
rserver host master
ip address 10.199.95.2
inservice
rserver host slave
ip address 10.199.38.68
inservice
serverfarm host FARM-web2-Master
description Serverfarm Master
probe PROBE-web2
rserver master
inservice
serverfarm host FARM-web2-Slave
description Serverfarm Slave
probe PROBE-web2
rserver slave
inservice
class-map match-any L4VIPCLASS
2 match virtual-address 10.199.80.12 tcp eq www
3 match virtual-address 10.199.80.12 tcp eq https
policy-map type management first-match REMOTE-MGMT-ALLOW-POLICY
class REMOTE-ACCESS
permit
policy-map type loadbalance first-match LB-POLICY
class class-default
serverfarm FARM-web2-Master backup FARM-web2-Slave
policy-map multi-match L4POLICY
class L4VIPCLASS
loadbalance vip inservice
loadbalance policy LB-POLICY
loadbalance vip icmp-reply active
loadbalance vip advertise
nat dynamic 1 vlan 384
service-policy input L4POLICY
interface vlan 383
description ACE-web2-Clientside
ip address 10.199.80.13 255.255.255.248
alias 10.199.80.12 255.255.255.248
peer ip address 10.199.80.14 255.255.255.248
access-group input ACL-IN
access-group output PERMIT-ALL
no shutdown
interface vlan 384
description ACE-web2-Serverside
ip address 10.199.80.18 255.255.255.240
alias 10.199.80.17 255.255.255.240
peer ip address 10.199.80.19 255.255.255.240
access-group input PERMIT-ALL
access-group output PERMIT-ALL
nat-pool 1 10.199.80.20 10.199.80.20 netmask 255.255.255.240 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 10.199.80.9
ip route 10.199.95.2 255.255.255.255 10.199.80.21
ip route 10.199.38.68 255.255.255.255 10.199.80.21
HTH
Cathy

ASA 5505: VPN Access to Different Subnets

Hi All-
I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN). Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN). Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24). Is this even possible? Below is the configurations on our ASA,
Thanks in advance:
ASA Version 8.2(5)
names
name 10.0.1.0 Net-10
name 20.0.1.0 Net-20
name 192.168.254.0 phones
name 192.168.254.250 PBX
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 13
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address X.X.139.79 255.255.255.224
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
interface Vlan13
nameif phones
security-level 100
ip address 192.168.254.200 255.255.255.0
ftp mode passive
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq ssh
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu phones 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
global (phones) 20 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list vpn_nat_inside outside
nat (phones) 0 access-list phones_nat0_outbound
nat (phones) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh Mac 255.255.255.255 outside
ssh timeout 60
console timeout 0
dhcpd auto_config inside
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server none
dns-server value 64.238.96.12 66.180.96.12
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
ipv6-vpn-filter none
vpn-tunnel-protocol svc
group-lock value PAS-SSL-VPN
default-domain none
vlan none
nac-settings none
webvpn
svc mtu 1200
svc keepalive 60
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
group-policy DfltGrpPolicy attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec svc webvpn
tunnel-group DefaultRAGroup general-attributes
address-pool SSLClientPool-10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PAS-SSL-VPN type remote-access
tunnel-group PAS-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PAS-SSL-VPN webvpn-attributes
group-alias PAS_VPN enable
group-url https://X.X.139.79/PAS_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous

Hi Jouni-
Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0). The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.
Per you recommendation, I removed the following configs from my ASA:
global (phones) 20 interface
... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.
global (inside) 10 interface
nat (outside) 10 access-list vpn_nat_inside outside
.... removing these two configurations caused the inside LAN to be unreachable. The phone LAN was not reachable, either. So, I put the '10' configurations back.
The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:
"portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"
What do you think?
Thanks!

IP and VIP adresses temporary on different subnets

Similar Messages

Maybe you are looking for