Cisco ASA 5505 VPN Access with separate VLANS inside
Posted on 2009-02-18
I am currently tasked with the job of settings up a remote access solution to some PLC OEM equipment in a factory. There are currently two lines setups with different subnets in each line.
Line 1: 10.1.1.0 / 255.255.255.0
Line2: 10.1.2.0 / 255.255.255.0
Each line has its own dedicated switch and is physically disjoined in the network.
The OEM equipment uses multicast to communicate with one another, so IGMP port snooping must be enabled on the switches.
They soon will add another Line to the mix with an undetermined IP scheme. They want all three lines to be unable to communicate with each other, but they do want to access all three lines using a VPN for remote access and eventually down the road to have all three lines be able to talk to a data collecting server.
Short term they are in urgent need of remote access to the two lines currently in operation. My quick setup would be to install a Cisco ASA 5505 with an unlimited license. From what I understand, it supports 3 VLANS out of the box (1 Internet, 2 Work, 3 Home). It doesnt not support more than 3 VLANS and doesnt not support VLAN trunking unless you buy the Security Plus license. AND it doesnt support IGMP port snooping.
I wanted to setup VLAN 1 with an IP of 10.1.1.1 / 255.255.255.0 & VLAN 2 with 10.1.2.0 /255.255.255.0 & of course VLAN 0 would be the internet.
From my understanding, both networks will be able to communicate with the internet, but not each other since they are on separate VLANS, BUT once I VPN into the Cisco ASA remotely, how am I suppose to access BOTH networks? Do I setup two different VPN policies in the ASA? Is this even possible? I thought for sure it would have to be. Please forgive me, I am not a Cisco expert by any means.
The long term goal is to change the subnet of each line to 255.255.0.0 so that ALL the OEM equipment is on the same subnet. Plug each line into a Cisco switch that does support VLANS and IGMP Port Snooping, then VLAN off each Line to its own port and setup a VLAN trunk to the Cisco ASA.
Does the Cisco ASA have to support VLAN trunking to do this, or just the switch? The reason I ask, is I have to know if I need to buy the Security Plus license.
I am looking for any tips, tricks, or suggestions. Thank you in advance.