Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NSA 3500 Cisco 2960 VLANs affecting VPN

Status
Not open for further replies.
jifitz

jifitz

IS-IT--Management
Jun 10, 2004
55
0
0
US
I will try to give as much detail as I can. We recently had the need to subnet our little network for ADFS and best practices which is great. I basically followed the suggestions here and built mine similar.


Once I had set things up it worked. The 2960 routed the vlan traffic via the Sonicwall but it created an odd problem. Name resolution stopped when clients were connected on the VPN. When I shut down the interface on the 2960 from the Sonicwall the name resolution comes back instantly. Only difference on the procedure I found was that because I am using a 2960 it uses dot1q and so the "switchport trunk encpsulation dot1q" doesn't show as an option. But it looked like it was routing to the VLANs fine when I tested it from an internal test server.

XO; lan 172.20.0.1

X1: WAN Primary ISP

X2: WAN Failover ISP

X3; Accounting 172.24.0.1

X4: Router on a Stick 172.20.40.1 LAN

V41 172.20.41.1 LAN

V42 172.20.42.1 LAN

V43 172.20.43.1 LAN

V44 172.20.44.1 LAN

X5: 172.16.0.1 DMZ

VPN Clients have access to X0, X1 AND X2 ONLY.

Any help I can get would be greatly appreciated. And this is the first real vlan experience I have had outside of a Cisco exam. Not an expert.
 
Sort by date Sort by votes
UPDATE:

UTC 12/07/2012 15:43:31.496 Alert Intrusion Prevention IP spoof

dropped 172.20.0.x, 53, X4, DC 172.20.0.Me, 65213, X1 MAC

address: 00:23:54.....

Ok now I know what is causing the problem. IDS. New problem. Although I can see IDS/IPS popping up in the log like this. Our subscription is gone, (not my idea). When you hit the Secruity Services> Intrusion Prevention it just says " Upgrade Required". I also looked on the Zones and it still showed IDS on the checkboxes. So I went through and unchecked all the IPS checkboxes for test purposes but I still get the error. I am also seeing that the VPN i showing up on X4 instead of X0 as it always had. Not sure if that is a routing issue or not but I did check the VPN and do not see any place were I can choose X0 over X4. X4 is the interface for Sonicwall/Router on a stick.

Any input would be appreciated. I think I am going to create a zone for each vlan that I created so there will be no overlap w/ LAN and the new interfaces.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
146
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
52
WhosYourDiffie
WhosYourDiffie
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
105
MottoK
MottoK
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
156
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
121
AllenH12
AllenH12

Part and Inventory Search

Sponsor

Back
Top