Made a subnet mask change from a 24 to a 16 mask and now the VPN connects, but no one can communicate through to servers or have outlook connect to Exchange. Here is the access-list, vpngroup and ip info:
access-list split permit ip 10.1.1.0 255.255.255.0 9.0.0.0 255.0.0.0 - changed to 10.0.0.0 255.255.0.0
access-list nonat permit ip 10.1.1.0 255.255.255.0 9.0.0.0 255.0.0.0 - changed to 10.0.0.0 255.255.0.0
ip address inside 10.1.1.1 255.255.255.0 - changed to 10.0.1.1 255.255.0.0
ip local pool vpnpool 9.9.9.1-9.9.9.254
global (outside) 1 [outside public ip]
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
You changed the 9 ot a 10, why? You should have changed the first part of the lines. You never changed the mask on your no nat or split permit. Your new lines should look like this:
access-list split permit ip 10.1.1.0 255.255.0.0 9.0.0.0 255.0.0.0
access-list nonat permit ip 10.1.1.0 255.255.0.0 9.0.0.0 255.0.0.0
The parts you cahnged you actually took a /8 and changed it to a whole different /16
Justin Ellenbecker
The reason it still connects is because the end points are the same but you are no longer protecting any traffic when you changed it from 9. to 10. on the end of the acl.
HossEquip
ASKER
I didn't change the 9.x.x.x to the 10.0.x.x, changed the 10.0.1.0 255.255.255.0 to 10.0.0.0 255.255.0.0.. sorry if the post didn't clarify that better
old that worked:
access-list split permit ip 10.0.1.0 255.255.255.0 9.0.0.0 255.0.0.0
access-list nonat permit ip 10.0.1.0 255.255.255.0 9.0.0.0 255.0.0.0
New that isn't:
access-list split permit ip 10.0.0.0 255.255.0.0 9.0.0.0 255.0.0.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 9.0.0.0 255.0.0.0
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
access-list split permit ip 10.1.1.0 255.255.0.0 9.0.0.0 255.0.0.0
access-list nonat permit ip 10.1.1.0 255.255.0.0 9.0.0.0 255.0.0.0
The parts you cahnged you actually took a /8 and changed it to a whole different /16