Link to home
Start Free TrialLog in
Avatar of tyty4u2
tyty4u2

asked on

Cisco ASA 5505 VPN Access with separate VLANS inside

I am currently tasked with the job of settings up a remote access solution to some PLC OEM equipment in a factory.  There are currently two lines setups with different subnets in each line.

Line 1: 10.1.1.0 / 255.255.255.0
Line2:  10.1.2.0 / 255.255.255.0

Each line has its own dedicated switch and is physically disjoined in the network.
The OEM equipment uses multicast to communicate with one another, so IGMP port snooping must be enabled on the switches.

They soon will add another Line to the mix with an undetermined IP scheme.  They want all three lines to be unable to communicate with each other, but they do want to access all three lines using a VPN for remote access and eventually down the road to have all three lines be able to talk to a data collecting server.

Short term they are in urgent need of remote access to the two lines currently in operation.  My quick setup would be to install a Cisco ASA 5505 with an unlimited license.  From what I understand, it supports 3 VLANS out of the box (1 Internet, 2 Work, 3 Home).  It doesnt not support more than 3 VLANS and doesnt not support VLAN trunking unless you buy the Security Plus license.  AND it doesnt support IGMP port snooping.

I wanted to setup VLAN 1 with an IP of 10.1.1.1 / 255.255.255.0 & VLAN 2 with 10.1.2.0 /255.255.255.0 & of course VLAN 0 would be the internet.

From my understanding, both networks will be able to communicate with the internet, but not each other since they are on separate VLANS, BUT once I VPN into the Cisco ASA remotely, how am I suppose to access BOTH networks?  Do I setup two different VPN policies in the ASA?  Is this even possible?  I thought for sure it would have to be.  Please forgive me, I am not a Cisco expert by any means.

The long term goal is to change the subnet of each line to 255.255.0.0 so that ALL the OEM equipment is on the same subnet.   Plug each line into a Cisco switch that does support VLANS and IGMP Port Snooping, then VLAN off each Line to its own port and setup a VLAN trunk to the Cisco ASA.

Does the Cisco ASA have to support VLAN trunking to do this, or just the switch?  The reason I ask, is I have to know if I need to buy the Security Plus license.

I am looking for any tips, tricks, or suggestions.  Thank you in advance.
Avatar of Heiko Bialozyt
Heiko Bialozyt
Flag of Switzerland image
out of the box asa5505 supports 3 VLAN.
1. external (untrusted) with sec level 0
2. internal (trusted) on sec level 100
3. DMZ (restricted) sec level higher then 0 but less then 100

while setup you have to decide from where DMZ shoul be accessible. cause of the restrictions you cant connect dmz to inside AND outside.

you can setup vpn to access both DMZ and inside while using one tunnel. it depends on your traffic selection and your translation exemptions.
Avatar of tyty4u2
tyty4u2

ASKER

So I can put Line 1 on the Trusted network and Line 2 on the DMZ.  Setup a VPN that will allow access to both even though they are on different subnets?
ASKER CERTIFIED SOLUTION
Avatar of Heiko Bialozyt
Heiko Bialozyt
Flag of Switzerland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial