RVS4000 lan subnet ask
I'm planning to use RVS 4000 in 10 of my branch offices.
The current IP's of those branch offices are 10.12.0.0/16 (255.255.0.0)
When trying to configure the RVS4000 LAN IP I only have a drop down for selecting the mask and the largest one is 255.255.255.0, is there any way of using larger mask then that?
Thanks!
The LAN configuration of RVS4000 is limited to a Class C network. That said, RVS4000 does support multiple VLANs, each of which is a Class C network.
Similar Messages
-
PBR using dual ISP and single LAN subnet
Hello,
I have 2 ISP connections on the Cisco router 29121 i.e. Leased Line and PPPoe and single LAN subnet
I want to use PBR.
I want to allow ip traffic destined for 1.1.1.1,2.2.2.2,3.3.3.3 ( Fictitious IP) to go through Lease Line
and all other traffic through PPPoe
Please help me to achieve this.
Thanks in advance.WoW Great Thanks cadet alain
It working as desired.
This is my current config. I just want you help for last thing
If leased line goes down, I want to direct the user to PPPoe
However, if PPPoe, the users should NOT BE directed to leased line
int gi0/0
description << Leased Line >>
ip address 100.100.100.101 255.255.255.252
ip nat outside
no shut
int gi0/2
description << LAN Subnet>>
ip address 10.1.50.1 ip nat inside
ip policy route-map lease
no shut
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in max-reassemblies 512
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname XXXXXXXXXXXXXXX
ppp chap password 0 9860
ppp pap sent-username XXXXXXXXXXXXXXX password 0 9860
no cdp enable
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no shut
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
access-list 100 permit ip 10.1.50.0 0.0.0.255
route-map lease permit 10
match ip address 100
match interface gi0/0
route-map pppoe permit 10
match ip address 100
match interface dialer 0
ip nat inside source route-map lease interface gi0/0 overload
ip nat inside source route-map pppe interface dialer 0 overload
access-list 101 permit ip 10.10.1.50.0 0.0.0.255 host 1.1.1.1
acess-list 101 permit ip 10.1.50.0 0.0.0.255 host 4.2.2.2
route-map PBR permit 10
match ip address 101
set ip next-hop 100.100.100.102
ip route 0.0.0.0 0.0.0.0 dialer0
ip route 0.0.0.0 0.0.0.0 100.100.100.102 -
VMW Fusion 4.1 breaks 1 host LAN subnet
Testing VMware Fusion 4.1 on '09 MacBook Pro Lion 10.7.2 to run a Lion 10.7.2 guest for testing. When Fusion is running, regardless of VM on, suspended or stopped, it sometimes has (not yet consistantly reproduceable) killed Exchange mail in the host (mail.app or MS 02k11) and kills any new access to one particular local subnet (yet all other LAN and WAN subnets are fine) from host wired etnernet LAN (guest VM running bridged, wifi, totally separate / firewalled from host wired LAN). Quit Fusion and, bam, all works again. Repeatable back & forth, and after reboot with nothing else running. Can't even ping subnet on router. Even stranger: if shared server volumes from affected subnet are mounted in host before starting Fusion they stay mounted and fully accessible for read/write yet their whole subnet can no longer be pinged, no new connection to server from host can be established.
Tried changing lots of network settings in host, Fusion and guest VM, seems to make no difference: The simple act of starting Fusion.app breaks host access to just the 1 local subnet. Quitting Fusion.app restores it.
Anyone got any ideas what causes this, maybe something simple I've overlooked? TIA.Sorry to hear that.
But Apple have probably broken it when they added the MobileMe and modified the Wide-Area Bonjour code.
However, I can report that Back-to-My-Mac does work on the AEBS. If you already a MM subscriber, you can use that to get back to the AirDisk. -
RV130 router : Unable to modify LAN subnet mask
Hi every one,
I'm using a cisco router RV130, which runs the latest firmware (1.0.1.3), and when
I set an IP address to the LAN interface, I can't choose the subnet mask greater than /24.
The scrolling list proposes only these values :
255.255.255.0
255.255.255.128
255.255.255. .. and so on to 255.255.255.252
The issue is that the customer's lan address is 172.17.0.0/16 (255.255.0.0)
Any clue ?
ThierryPlease see the attached Word Document for how to create a case online. Please make sure your CCOID is associated with the Product and/or the contract. This will prevent any issue when creating a case. If there is an issue with the association, the 1-866-606-1866 number will put you in touch with the people to assist in the association to your CCOID. Hope this helps.
-
Hi,
I have a LAN using IP range 192.168.1.x. I am currently using a Cisco 857 ADSL router to provide internet access to all the PC's in the LAN.
I want to change the network so that IP addresses are separated into different departments, eg 192.168.10.x, 192.168.20.x. Each different network would be able to access the internet, mail server and the file server etc, but would not have access to each other.
Could this be achieved using ACL's on my existing router? The Cisco router only has 4 ports, would I need to purchase an additional router, or layer 3 switch to do this?
Thanks
NickHi,
It's true, the 850 series only supports one vlan. :(
You would have to put a Layer3 switch behind it, and create a separate subnet connecting it to the cisco 857 (either by VLAN/SVI or routed port).
On the L3 switch create different VLANs and SVI's for your clients. Assign different ports to the desired Client VLANs.Communication between the VLANs can be limited by ACL's applied to the SVIs.
On the L3 switch point a default route towards the Cisco857, and dont forget to set appropriate routes on your Cisco 857 pointing back to the Layer 3 Switch.
hth
Ingo -
I have a tunnel created and I need to NAT the local network 192.168.1.0/24 to 172.31.196.0/24 to the destination IP, let's say (2.2.2.2)
code version is 821
name 2.2.2.2 External_IP
name 172.31.196.0 Local_xlated
I thought the statement would look like nat (inside,outside) inside-network Local_xlated static destination External_IPeluciasa(config)# packet-tracer input inside tcp 192.168.1.6 53 8.8.8.8 53
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) MC_Local_xlated access-list L2LVPN-POLICYNAT
match ip inside 192.168.1.0 255.255.255.0 outside host External_IP
static translation to MC_Local_xlated
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (External_IP [Interface PAT])
translate_hits = 24686918, untranslate_hits = 1904674
Additional Information:
Dynamic translate EluciMX01/53 to External_IP/356 using netmask 255.255.255.255
Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 32668832, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
eluciasa(config)# -
I own 2 Cisco RVS4000 routers. One is my gateway with a untangle UTM machine behind it. Untangle does not support vlan tags so I have a second RVS4000 router behind the untangle machine which I would like to setup vlans on. I have the second RVS4000 setup in router mode not gateway. I would prefer to not double nat. I have static routes between the 2 routers working. I have super scoped the first router so all my addresses and networks are within scope of the first RVS4000 router address and mask. I am trying to use the second RVS4000 as just a normal router with no firewall. My reason for all of this is I believe the first RVS4000 will not NAT traffic from the second RVS4000 LAN network because it is out of scope and I have no internet access from the second RVS4000 router. My IP addresses for the RVS4000 routers are as follows
First RVS4000
WAN PPPOE DHCP
LAN IP 192.168.16.1 255.255.255.0
Second RVS4000
WAN Static IP 192.168.16.3 255.255.255.128
LAN IP 192.168.16.130 255.255.255.128
My problem now after all this is I cannot get DHCP on the second RVS4000 to assign addresses in the 255.255.255.128 scope. When I try to setup DHCP the second RVS4000 router just wipes out my static assigned address on the LAN side. It just blanks the IP address out and resets the mask to 255.255.255.0 . I have not got to the vlan part but I figure it will not work if this does not work. Do you see any errors in my configuration? I think maybe this is a bug in the router code. What do you think?Hi Lee, here is a new proposal based off the additional information with the assumptions*
*192.168.16.1 is connecting to the internet and is the NAT device
**192.168.16.130 is router mode
***Untangle UTM cannot participate VLAN 2
For 192.168.1.1 Gateway router
Configure 192.168.1.1 router for internet connectivity
Configure a second VLAN as desired and specify the DHCP scope
Cofigure a single port to be 1untagged for the Untangle Box
Configure a single port to be 1untagged, 2 tagged
For the 192.168.16.130 Router Mode
Configure the router in router mode
Connect this router from a LAN port of the 192.168.1.1 to a LAN port of this router
Configure the second VLAN with the corresponding subnet of the 192.168.1.1 router
Set a single port as 1untagged, 2tagged to connect to the 192.168.1.1 router
If your access point services both subnet, configure a single port as 1untagged, 2tagged
For access point configuration
Assign a static IP on the subnet of VLAN 1, my example 192.168.16.131
Configure your SSID
Associate the VLAN ID to the SSID you desire
Key Notes-
Wireless isolate within SSID means you cannot access wirelessly connectivity devices while connected to the same SSID
Wireless isolate between SSID means you cannot access wireless while connected to each SSID wireless
You may disable all intervlan routing on the 192.168.1.1 router
-Tom -
RVS4000 V1 tracks some VLAN to VLAN connections backwards
Firmware V1.3.3.5
Operation Mode: Gateway
VLANs: 4, one per LAN subnet
Inter-VLAN Routing: Enabled
I've got all of the management interfaces of the infrastructure devices
(switches, UPS,WAPs) on the default VLAN 1 that is configured on as untagged on
all relevant ports. I've noticed that the router will track most of the routed
connections from the non-default VLANs to devices on the devices on the default
VLAN backwards, where the destination is listed as the source and vice versa,
often with the SYN_SENT state instead of ESTABLISHED as reported by the source
host.
I get this information from the IP Conntrack view launched from the
Status/Gateway screen. This is how a telnet connection from a computer on the
guest VLAN 3, subnet 10.0.89.0/24 to the default mgmt VLAN 1, subnet
192.168.75.0 looks in IP Conntrack
Basic Information Original Direction Reply Direction
Protocol Life Time State Source IP Source Port Destination IP Destination Port Source IP Source Port Destination IP Destination Port
TCP 44 SYN_SENT 192.168.75.98 23 10.0.89.2 50196 10.0.89.2 50196 192.168.75.98 23
Also, there are corresponding entries in the router's access log.
Jan 29 22:26:00 - [Access Log]I TCP Packet - 192.168.75.98:23 --> 10.0.89.2:50196
Notice that it is incoming as expected as opposed to outgoing (to the WAN port).
I know that these are routed connections, for when I turn off Inter-VLAN
Routing, I cannot make any connections from on VLAN subnet to another.
This reversed connection tracking anomaly is causing the firewall ACLs that I have
implemented to block traffic from the guest VLAN (3) to the default
(infrastructure) VLAN to not work, since ACLs are defined based on source IP
and destination IP. Connections to other VLANs other than the default appear as expected
in the access log and the IP Conntrack view.
Is this a known bug with the RVS4000 V1?Thanks for answer.
I investigated thread you sent and found there the solution, which can be shorten to one line:
Setup -> Advanced Routing -> Inter-VLAN Routing -> Disable
Once more, Many THX
It works and is solved. -
The RVS4000 supports 4 active VLANs and has a configuration item to allow routing between VLANs. To accomplish this (routing between VLANS), we would need independent interface IP addresses for each participating VLAN. I haven't found where to configure interface IP addresses.
1) does it actually perform routing (i.e. L3 router) functions between 4 VLANs (assuming 4 are active) or does it only provide routing between the single WAN port and only one LAN subnet?
2) assuming it actually does perform routing between VLANs, how do I specify interface addresses?
3) if it doesn't provide routing, what is the purpose of the allow routing between VLANs check box?
4) again if it doesn't really provide routing, what product is best to route between 4 VLANs (NAT not required).Thanks for the quick reply, tekliu.
Do I also define an IP address for each VLAN (interface address) on that page?
Can I define the info on the DHCP page without actually using or enabling DHCP (e.g. define a scope with no addresses).
I'm assuming, then, that I could ignore the WAN port and use it as a complete four subnet L3 router (which is exactly what I want). Sound right? -
Remote access VPN client gets connected no access to LAN
: Saved
ASA Version 8.6(1)2
hostname COL-ASA-01
domain-name dr.test.net
enable password i/RAo1iZPOnp/BK7 encrypted
passwd i/RAo1iZPOnp/BK7 encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.32.0.11 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.9.200.126 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
nameif failover
security-level 0
ip address 192.168.168.1 255.255.255.0 standby 192.168.168.2
interface Management0/0
nameif management
security-level 0
ip address 192.168.2.11 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name dr.test.net
object network RAVPN
subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_192.168.200.0_24
subnet 192.168.200.0 255.255.255.0
object network NETWORK_OBJ_192.9.200.0_24
subnet 192.9.200.0 255.255.255.0
object-group network inside_network
network-object 192.9.200.0 255.255.255.0
object-group network Outside
network-object host 172.32.0.25
access-list RAVPN_splitTunnelAcl standard permit 192.9.200.0 255.255.255.0
access-list test123 extended permit ip host 192.168.200.1 host 192.9.200.190
access-list test123 extended permit ip host 192.9.200.190 host 192.168.200.1
access-list test123 extended permit ip object NETWORK_OBJ_192.168.200.0_24 192.9.200.0 255.255.255.0
access-list test123 extended permit ip 192.9.200.0 255.255.255.0 object NETWORK_OBJ_192.9.200.0_24
pager lines 24
mtu management 1500
mtu outside 1500
mtu inside 1500
mtu failover 1500
ip local pool RAVPN 192.168.200.1-192.168.200.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (any,inside) source static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 destination static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24
route outside 0.0.0.0 0.0.0.0 172.32.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=KWI-COL-ASA-01.dr.test.net,O=KWI,C=US
crl configure
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.9.200.0 255.255.255.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 management
ssh 0.0.0.0 0.0.0.0 outside
ssh 66.35.45.128 255.255.255.192 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
group-policy RAVPN internal
group-policy RAVPN attributes
wins-server value 192.9.200.164
dns-server value 66.35.46.84 66.35.47.12
vpn-filter value test123
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test123
default-domain value dr.kligerweiss.net
username test password xxxxxxx encrypted
username admin password aaaaaaaaaaaa encrypted privilege 15
username vpntest password ddddddddddd encrypted
tunnel-group RAVPN type remote-access
tunnel-group RAVPN general-attributes
address-pool RAVPN
default-group-policy RAVPN
tunnel-group RAVPN ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 2
subscribe-to-alert-group configuration periodic monthly 2
subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:b001e526a239af2c73fa56f3ca7667ea
: end
COL-ASA-01#
Here is some capture done on the inside interface which may help too, I tried pointing the gateway to inside interface on the target device but I think this was a switch without ip route available on it I believe that is still sending packet back to Cisco inside interface
COL-ASA-01# sho cap test | in 192.168.200
25: 23:45:55.570618 192.168.200.1 > 192.9.200.190: icmp: echo request
29: 23:45:56.582794 192.168.200.1.137 > 192.9.200.164.137: udp 68
38: 23:45:58.081050 192.168.200.1.137 > 192.9.200.164.137: udp 68
56: 23:45:59.583176 192.168.200.1.137 > 192.9.200.164.137: udp 68
69: 23:46:00.573517 192.168.200.1 > 192.9.200.190: icmp: echo request
98: 23:46:05.578110 192.168.200.1 > 192.9.200.190: icmp: echo request
99: 23:46:05.590057 192.168.200.1.137 > 192.9.200.164.137: udp 68
108: 23:46:07.092310 192.168.200.1.137 > 192.9.200.164.137: udp 68
115: 23:46:08.592468 192.168.200.1.137 > 192.9.200.164.137: udp 68
116: 23:46:10.580795 192.168.200.1 > 192.9.200.190: icmp: echo request
COL-ASA-01#
Any help or pointers greatly appreciated, I am doing this config after a long gap on Cisco last time I was working it was all PIX so just need some expert eyes to let me know if I am missing something.
And Yes I do not have a Host in Inside network to test against, all I have is a switch which cannot route and ip default gateway is not helping too...Hi,
The first thing you should do to avoid problems is to change the VPN Pool to something else than the current LAN network as they are not really directly connected in the same network segment.
You could try the following changes
tunnel-group RAVPN general-attributes
no address-pool RAVPN
no ip local pool RAVPN 192.168.200.1-192.168.200.254 mask 255.255.255.0
ip local pool RAVPN 192.168.201.1-192.168.201.254 mask 255.255.255.0
tunnel-group RAVPN general-attributes
address-pool RAVPN
no nat (any,inside) source static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 destination static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24
In the above you first remove the VPN Pool from the "tunnel-group" and then remove and recreate the VPN Pool with another network and then insert it back to the same "tunnel-group". Nex you remove the current NAT configuration.
object network LAN
subnet 192.168.200.0 255.255.255.0
object network VPN-POOL
subnet 192.168.201.0 255.255.255.0
nat (inside,outside) 1 source static LAN LAN destination static VPN-POOL VPN-POOL
The above NAT configurations adds the correct NAT0 configuration for the changed VPN Pool. It also inserts the NAT rule to the very top before the Dynamic PAT rule you currently have. It is also one of the problems with the configurations as it will override your current NAT configurations.
You have your Dynamic PAT rule at the very top of your NAT rules currently which is not a good idea. If you wish to change it to something else that wont override the other NAT configurations in the future you can do the following change.
no nat (inside,outside) source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
NOTICE! Changing the above Dynamic PAT configuration will temporarily terminate all connections for users from the LAN as you reconfigure the Dynamic PAT rule. So if you do this change make sure that its ok to cause still small cut in the current connections of internal users
Hope this helps
Let me know if it works for you
- Jouni -
Assigning non-standard subnet mask to local IP address on WRT54GX
I need to configure my WRT54GX V1 as an access point. I know how to accomplish this, but our corporate network uses a subnet mask of 255.255.252.0 How can I assign this net mask? The only options are contained in a drop-down menu and what I need is not there. Is there a different way to assign the subnet mask rather than using the menues?
It is a known limitation of Linksys wireless routers that they only support LAN subnets up to 255.255.255.0. I guess the assumption was that the router only runs LANs for up to 253 LAN devices. The plain access point setup (i.e. uplink through LAN-LAN connection) was never properly considered an option although it is documented in the Linksys easy answers.
Anyway, to set up the WRT as access point the LAN IP address of the WRT and the subnet mask is not important for the wireless connectivity into the LAN. The LAN IP address and subnet mask is only relevant to access the web interface of the WRT to make configuration changes. You have to make sure that the DHCP server on the WRT is turned off and that a LAN port of the WRT is wired to your existing LAN.
For the LAN IP address setup you have three options:
1. Use an available IP address inside your LAN and use subnet mask 255.255.255.0, e.g. if your LAN uses 10.0.0.0/255.255.252.0, assign the WRT an IP address of 10.0.3.200 with subnet mask 255.255.255.0. Of course, in that case you are only able to access the web interface of the WRT http://10.0.3.200/ from a computer in 10.0.3.* because that's the IP subnet which the WRT thinks is connected to its LAN ports. You cannot use a computer with IP address 10.0.{0,1,2}.* because the WRT does not know how to route these IP addresses. If your computer has an IP address outside the configured WRT LAN subnet you must temporarily change the IP address of the computer.
2. If you assign a LAN IP address and subnet mask to your WRT which includes a network router you may be able to get full connectivity by setting up static routes in the WRT. For instance, if you assign 10.0.3.200/255.255.255.0 to your WRT and your main LAN router sits at 10.0.3.254/255.255.252.0 you may be able to set up static routes for destinations 10.0.0.0/255.255.254.0 and 10.0.2.0/255.255.255.0 (or if it works even simply destination 10.0.0.0/255.255.252.0) to gateway IP address 10.0.3.254 on the LAN interface. Traffic from the computer to the router should go directly while the responses from the router to the computer go through the main router. I think this should work although I am not 100% sure.
3. Use any IP address outside your LAN, e.g. the default 192.168.1.1/255.255.255.0. Again, you must temporarily set up a static IP address on your computer to gain access to the web interface. But even with a LAN IP address outside your LAN the WRT will still bridge wireless clients into the LAN as it is supposed to do. -
Routing Experts please help with below LAN routing issue with NAT
Hello Experts,
I have a weird situation and requirement.
The existing setup is -
We have email/ticketing server hosted in the LAN which is reachable on the publicly NAT'ed IP with respective port numbers of 89 & 443. We have LAN & servers on the same subnet. The internet is with public DHCP IP assigned by ISP (/29). We use linksys router GUI for NAT settings (attached).We are using the same public IP for the server NAT & user NAT.
We tried to refresh our network by separating the subnets for LAN users & servers. We used the Cisco 3845 router to create sub-interfaces in the LAN and configure respective subnets. Now both user subnet and server subnet are connecting to the Internet with same public IP (static NAT for servers & dynamic for users). We can connect to the server IP from the Internet and it resolves fine. However user LAN subnet cannot connect to the server if we try the URL. Users can access the Internet fine.
Please find attached short diagram and below configuration and please give your inputs to solve this.
Cisco 3845 router
access-list 1 permit 10.155.60.0 0.0.0.255
access-list 2 permit 10.155.61.0 0.0.0.255
access-list 3 permit 10.155.62.0 0.0.0.255
ip nat inside source list 1 int g0/0 overload
ip nat inside source list 2 int g0/0 overload
ip nat inside source list 3 int g0/0 overload
int g0/0
ip add 8.8.8.8 255.255.255.248
ip nat outside
no shut
int g0/1
description Trunk-to-Switch
no shut
int g0/1.60
description User vlan
ip add 10.155.60.1 255.255.255.0
encapsulation dot1q 60
ip nat inside
int g0/1.62
description Server vlan
ip add 10.155.62.1 255.255.255.0
encapsulation dot1q 62
ip nat inside
exit
aaa new-model
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local
aaa session-id common
acl 120
max-users 10
exit
!access-list 120 remark ==[Cisco VPN Users]==
access-list 120 permit ip any host 192.168.0.10
access-list 120 permit ip any host 192.168.0.11
access-list 120 permit ip any host 192.168.0.12
access-list 120 permit ip any host 192.168.0.13
access-list 120 permit ip any host 192.168.0.14
access-list 120 permit ip any host 192.168.0.15
access-list 120 permit ip any host 192.168.0.16
access-list 120 permit ip any host 192.168.0.17
access-list 120 permit ip any host 192.168.0.18
access-list 120 permit ip any host 192.168.0.19
no access-list 100
access-list 100 remark [Deny NAT for VPN Clients]=-
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.10
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.11
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.12
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.13
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.14
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.15
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.16
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.17
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.18
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.19
access-list 100 remark
access-list 100 remark -=[Internet NAT Service]=-
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
exit
ip nat inside source static tcp 10.155.62.55 21 8.8.8.8 21
ip nat inside source static tcp 10.155.62.55 88 8.8.8.8 88
ip nat inside source static udp 10.155.62.55 88 8.8.8.8 88
ip nat inside source static tcp 10.155.62.84 3389 8.8.8.8 3389
ip nat inside source static udp 10.155.62.84 3389 8.8.8.8 3389
ip nat inside source static tcp 10.155.62.98 80 8.8.8.8 80
ip nat inside source static udp 10.155.62.98 80 8.8.8.8 80
ip nat inside source static tcp 10.155.62.98 443 8.8.8.8 443
ip nat inside source static udp 10.155.62.98 443 8.8.8.8 443
ip nat inside source static tcp 10.155.62.98 25 8.8.8.8 25
ip nat inside source static udp 10.155.62.98 25 8.8.8.8 25
ip nat inside source static tcp 10.155.62.84 8080 8.8.8.8 89
ip nat inside source static udp 10.155.62.84 8080 8.8.8.8 89
ip nat inside source static tcp 10.155.62.84 9005 8.8.8.8 9005
ip nat inside source static udp 10.155.62.84 9005 8.8.8.8 9005
ip nat inside source static tcp 10.155.62.84 135 8.8.8.8 135
ip nat inside source static udp 10.155.62.84 135 8.8.8.8 135
ip nat inside source static tcp 10.155.62.84 139 8.8.8.8 139
ip nat inside source static udp 10.155.62.84 139 8.8.8.8 139
ip nat inside source static tcp 10.155.62.84 445 8.8.8.8 445
ip nat inside source static udp 10.155.62.84 445 8.8.8.8 445
ip nat inside source static tcp 10.155.62.84 90 8.8.8.8 465
ip nat inside source static udp 10.155.62.84 90 8.8.8.8 465
ip nat inside source static tcp 10.155.62.143 3381 8.8.8.8 3381
ip nat inside source static udp 10.155.62.143 3381 8.8.8.8 3381
ip nat inside source static tcp 10.155.62.46 8081 8.8.8.8 91
ip nat inside source static udp 10.155.62.46 8081 8.8.8.8 91
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:/cme-gui-7.1.0.1
file privilege 0
telephony-service
dn-webedit
time-webedit
transport input ssh
line con 0
line vty 0 15
login local
ntp server ntp.first2know.net
clock timezone gmt 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
ntp update-calendar
ntp master
=========================================================================================================================================
Cisco 3750 Config;
vlan 60
name User
vlan 61
name Voice
vlan 62
name Server
exit
interface g1/0/1
description Trunk-to-Router
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast trunk
interface vlan 60
description User Vlan
ip add 10.155.60.2 255.255.255.0
interface vlan 61
description Voice Vlan
ip add 10.155.61.2 255.255.255.0
interface vlan 62
description Server Vlan
ip add 10.155.62.2 255.255.255.0
service dhcp
ip dhcp pool Users
network 10.155.60.0 255.255.255.0
default-router 10.155.60.1
dns server 4.2.2.2
ip dhcp pool Voice
network 10.155.61.0 255.255.255.0
dns server 4.2.2.2
exit
ip dhcp excluded-address 10.155.60.1 10.155.60.2 10.155.60.3
ip dhcp excluded-address 10.155.61.1 10.155.61.2
interface range g1/0/2 - 1/0/21
switchport mode access
switchport access vlan 60
switchport access vlan 61
exit
exit
interface range g1/0/22 - 1/0/26
switchport mode access
switchport access vlan 62
exit
Thanks,
DeepakOne more thing I should clarify the route I am putting into the 10.10.1.9 server is
route add 10.1.6.0 mask 255.255.255.0 10.10.1.250 which tells the server to bypass the ASA and go directly to the ISP router.(then i can successfully tracert everything). The big question here is how to make the inside ASA connection 10.10.1.1 to force all traffic to 10.10.1.250.
Thanks in advance. -
MacBook Air DVD or CD Sharing on different subnets
I'm an admin testing the MBA and trying to figure out how to get a shared CD from my MacPro on a LAN subnet shared to the MBA on a Wifi subnet. I have multiple VLAN's across the enterprise and was wondering if remote disc only used the auto discovery feature within the same subnet. Can someone please clarify?
Ah well forget it, found my answer here.
http://docs.info.apple.com/article.html?artnum=307320 -
WRT160N v2 as access point inside LAN
I got this router and I need to set it as an Access Point (will not be using the routing functionality) in the far side of our building. Our LAN uses IP addresss in the range 10.*.*.* with subnet 255.0.0.0, so I need to put the access point ino this subnet. The dropdown box only allows me to set some predefined subnet masks, none of which matches ours. So how am I supposed to set this router in our LAN? Please, help!
Set the access point to a unused LAN IP address inside your LAN (not used by any other device nor inside the DHCP server address pool).
Set the subnet mask to 255.255.255.0.
Disable the DHCP server on the WRT.
Connect a LAN port of the WRT to your existing LAN.
The wireless part is bridged into the ethernet LAN. The IP address of the WRT does not play a role here. The wireless works anyway. (Just like you can use the other LAN ports on the WRT to wire devices to your LAN).
The only limitation you have is that you can only access the web interface of the WRT from an IP address inside the incorrectly configured LAN subnet on the WRT. If you have set the WRT to 10.0.11.12/255.255.255.0 then the WRT is only accessible from IP addresses 10.0.11.*. If you computer does not happen to use an IP address inside this IP subnet you must set a static IP address temporarily to access the web interface. But you only need access to the web interface for configuration purposes. After the wireless is configured it works just fine.
Unless, of course you use WPA/WPA2 enterprise mode which requires to contact the RADIUS server. In that case you must use an IP address on the WRT which allows it to send packets directly to the RADIUS server.
Moreover, I would recommend not to use the broadcast IP address of the LAN IP subnet assigned to the WRT for any other purposes. If you set 10.0.11.12/255.255.255.0 I would suggest not to use 10.0.11.255 for any computer inside your LAN. You'll never know what traffic the router may be broadcasting to the LAN and that could become problematic if there is a computer sitting on that broadcast address (which of course is not really a broadcast address inside your LAN).
The other option would be to change the LAN subnet mask and maybe split the LAN into multiple routed networks. -
VPN users cannot connect to LAN
I have to users down in australia, they can connect via vpn but cannot ping any of the LAN ip address
PLease help URGENT!Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use thI e posting's information even if Author has been advised of the possibility of such damage.
Posting
Are the VPN clients in a different subnet from your LAN? If so, I would suspect a routing issue, either your VPN clients either don't know how to get to the LAN subnet and/or the LAN clients don't know how to get to the VPN client subnet.
Maybe you are looking for
-
Blue ray player connection to web help
Just wondering if any iMac people have recently successfully connected their blue ray player to the internet? Apple tells me that I have to purchase "Apple TV" device. The Sony player (BDP-N460) I purchased said I only need to buy an additional 'Link
-
I have been trying to restore my settings on my iphone to fix and when it finishes retoring it says the network is corrupted. I ran a diagnostics on my network connectivity and it says i have no secure link to itunes store. How do i change this on my
-
I am trying to create a query that will output a single row for each employee. Unfortunately, I can't figure out how to group by the aggregate function itself. Is there a way to do this in SQL Developer? Here is my code at this point: COL ename FORMA
-
How Do i Cancel my Adobe Creative Cloud membership?
I want to cancel my membership and i can't seem to find the correct way to do so.
-
Conversion Routine Needed for Tax Code MWSKZ in FM Calcualte_tax_from_netam
i am passing BUKRS,MWSKZ,WRBTR AND WAERS in CALCULATE_TAX_FROM_NET_AMOUNT. From this i get WMWST. which i need 2 use for calcualating CST(logic is where KSCHL = JVCS ). But while debugging the code, i get value of MWSKZ as V0 which is maintained as