asked on
VPN broken after subnet mask change
Made a subnet mask change from a 24 to a 16 mask and now the VPN connects, but no one can communicate through to servers or have outlook connect to Exchange. Here is the access-list, vpngroup and ip info:
access-list split permit ip 10.1.1.0 255.255.255.0 9.0.0.0 255.0.0.0 - changed to 10.0.0.0 255.255.0.0
access-list nonat permit ip 10.1.1.0 255.255.255.0 9.0.0.0 255.0.0.0 - changed to 10.0.0.0 255.255.0.0
ip address inside 10.1.1.1 255.255.255.0 - changed to 10.0.1.1 255.255.0.0
ip local pool vpnpool 9.9.9.1-9.9.9.254
global (outside) 1 [outside public ip]
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 66.226.226.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set esp-3des esp-3des esp-md5-hmac
crypto dynamic-map dynmap 50 set transform-set esp-3des
crypto map VPN 65535 ipsec-isakmp dynamic dynmap
crypto map VPN client configuration address initiate
crypto map VPN client configuration address respond
crypto map VPN interface outside
isakmp enable outside
isakmp nat-traversal 3600
isakmp policy 7 authentication pre-share
isakmp policy 7 encryption 3des
isakmp policy 7 hash md5
isakmp policy 7 group 2
isakmp policy 7 lifetime 86400
vpngroup xpixvpngroup address-pool vpnpool
vpngroup xpixvpngroup dns-server 10.0.1.47 10.0.1.48
vpngroup xpixvpngroup wins-server 10.0.1.47 10.0.1.48
vpngroup xpixvpngroup default-domain [company domain name]
vpngroup xpixvpngroup split-tunnel split
vpngroup xpixvpngroup idle-time 1800
vpngroup xpixvpngroup password ********
vpngroup xpivpngroup idle-time 1800
access-list split permit ip 10.1.1.0 255.255.255.0 9.0.0.0 255.0.0.0 - changed to 10.0.0.0 255.255.0.0
access-list nonat permit ip 10.1.1.0 255.255.255.0 9.0.0.0 255.0.0.0 - changed to 10.0.0.0 255.255.0.0
ip address inside 10.1.1.1 255.255.255.0 - changed to 10.0.1.1 255.255.0.0
ip local pool vpnpool 9.9.9.1-9.9.9.254
global (outside) 1 [outside public ip]
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 66.226.226.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set esp-3des esp-3des esp-md5-hmac
crypto dynamic-map dynmap 50 set transform-set esp-3des
crypto map VPN 65535 ipsec-isakmp dynamic dynmap
crypto map VPN client configuration address initiate
crypto map VPN client configuration address respond
crypto map VPN interface outside
isakmp enable outside
isakmp nat-traversal 3600
isakmp policy 7 authentication pre-share
isakmp policy 7 encryption 3des
isakmp policy 7 hash md5
isakmp policy 7 group 2
isakmp policy 7 lifetime 86400
vpngroup xpixvpngroup address-pool vpnpool
vpngroup xpixvpngroup dns-server 10.0.1.47 10.0.1.48
vpngroup xpixvpngroup wins-server 10.0.1.47 10.0.1.48
vpngroup xpixvpngroup default-domain [company domain name]
vpngroup xpixvpngroup split-tunnel split
vpngroup xpixvpngroup idle-time 1800
vpngroup xpixvpngroup password ********
vpngroup xpivpngroup idle-time 1800
CiscoVPNRouters
Last Comment
HossEquip
The reason it still connects is because the end points are the same but you are no longer protecting any traffic when you changed it from 9. to 10. on the end of the acl.
ASKER
I didn't change the 9.x.x.x to the 10.0.x.x, changed the 10.0.1.0 255.255.255.0 to 10.0.0.0 255.255.0.0.. sorry if the post didn't clarify that better
old that worked:
access-list split permit ip 10.0.1.0 255.255.255.0 9.0.0.0 255.0.0.0
access-list nonat permit ip 10.0.1.0 255.255.255.0 9.0.0.0 255.0.0.0
New that isn't:
access-list split permit ip 10.0.0.0 255.255.0.0 9.0.0.0 255.0.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 9.0.0.0 255.0.0.0
old that worked:
access-list split permit ip 10.0.1.0 255.255.255.0 9.0.0.0 255.0.0.0
access-list nonat permit ip 10.0.1.0 255.255.255.0 9.0.0.0 255.0.0.0
New that isn't:
access-list split permit ip 10.0.0.0 255.255.0.0 9.0.0.0 255.0.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 9.0.0.0 255.0.0.0
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER CERTIFIED SOLUTION
Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
access-list split permit ip 10.1.1.0 255.255.0.0 9.0.0.0 255.0.0.0
access-list nonat permit ip 10.1.1.0 255.255.0.0 9.0.0.0 255.0.0.0
The parts you cahnged you actually took a /8 and changed it to a whole different /16