We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Cisco ASA 5505 VPN Access with separate VLANS inside

tyty4u2
tyty4u2 asked
on
Medium Priority
1,358 Views
Last Modified: 2012-05-06
I am currently tasked with the job of settings up a remote access solution to some PLC OEM equipment in a factory.  There are currently two lines setups with different subnets in each line.

Line 1: 10.1.1.0 / 255.255.255.0
Line2:  10.1.2.0 / 255.255.255.0

Each line has its own dedicated switch and is physically disjoined in the network.
The OEM equipment uses multicast to communicate with one another, so IGMP port snooping must be enabled on the switches.

They soon will add another Line to the mix with an undetermined IP scheme.  They want all three lines to be unable to communicate with each other, but they do want to access all three lines using a VPN for remote access and eventually down the road to have all three lines be able to talk to a data collecting server.

Short term they are in urgent need of remote access to the two lines currently in operation.  My quick setup would be to install a Cisco ASA 5505 with an unlimited license.  From what I understand, it supports 3 VLANS out of the box (1 Internet, 2 Work, 3 Home).  It doesnt not support more than 3 VLANS and doesnt not support VLAN trunking unless you buy the Security Plus license.  AND it doesnt support IGMP port snooping.

I wanted to setup VLAN 1 with an IP of 10.1.1.1 / 255.255.255.0 & VLAN 2 with 10.1.2.0 /255.255.255.0 & of course VLAN 0 would be the internet.

From my understanding, both networks will be able to communicate with the internet, but not each other since they are on separate VLANS, BUT once I VPN into the Cisco ASA remotely, how am I suppose to access BOTH networks?  Do I setup two different VPN policies in the ASA?  Is this even possible?  I thought for sure it would have to be.  Please forgive me, I am not a Cisco expert by any means.

The long term goal is to change the subnet of each line to 255.255.0.0 so that ALL the OEM equipment is on the same subnet.   Plug each line into a Cisco switch that does support VLANS and IGMP Port Snooping, then VLAN off each Line to its own port and setup a VLAN trunk to the Cisco ASA.

Does the Cisco ASA have to support VLAN trunking to do this, or just the switch?  The reason I ask, is I have to know if I need to buy the Security Plus license.

I am looking for any tips, tricks, or suggestions.  Thank you in advance.
Comment
Watch Question

Heiko BialozytLeiter IT

Commented:
out of the box asa5505 supports 3 VLAN.
1. external (untrusted) with sec level 0
2. internal (trusted) on sec level 100
3. DMZ (restricted) sec level higher then 0 but less then 100

while setup you have to decide from where DMZ shoul be accessible. cause of the restrictions you cant connect dmz to inside AND outside.

you can setup vpn to access both DMZ and inside while using one tunnel. it depends on your traffic selection and your translation exemptions.

Author

Commented:
So I can put Line 1 on the Trusted network and Line 2 on the DMZ.  Setup a VPN that will allow access to both even though they are on different subnets?
Leiter IT
Commented:
yes you can. add both subnets to traffic-selection of vpn. then you can see both subnets at the same time.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.