Solved

Cisco ASA 5505 Site to Site VPN with VLANS and Segmented Interfaces.

Posted on 2013-01-24
3
397 Views
Last Modified: 2013-03-31
Currently we have 5 sites with LAN and Voice traffic on different subnets. The sites look like this.

schema:
LANs: 192.168.201.x - 192.168.205.x
Voice: 10.10.1.x - 10.10.5.x

Site 1 - 4 Remote Offices:
Interface 0/1
Trunked
vlans allowed are voice and Lan

Sites 1-4 have worked flawlessly for years. We recently added a COLO (site 5), migrated the Phone System and Servers to VMware.

Site 5: (192.168.205.x LAN and 10.10.5.x Voice)
Interface 0/1
Switchport with LAN VLAN allowed
Interface 0/5
Switchport with VOICE VLAN allowed

All LAN traffic at every site works over the VPN, we can also ping the VOICE (10.10.5.x) network with 50-75 percent success. However when we do this ping all traffic everywhere blips for a couple seconds then comes back online. We are unable to access the phone system web portal from remote sites or COLO. I feel like there is a simple routing statement missing or NAT rule or access config that's been missed. Any help is appreciated. I've added the Site 5 (COLO) config below. I will add the other configs when they are sent to me. I'm working with another IT company on this project so I'm somewhat at their mercy.
TIC-COLO-Config.txt
0
Comment
Question by:myintellinet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38814111
I've hidden the public IP addresses in your config file.
Be carefull showing your publics to everyone ;)
0
 

Author Comment

by:myintellinet
ID: 38814168
thx!
0
 
LVL 17

Accepted Solution

by:
MAG03 earned 500 total points
ID: 38825037
One misconfiguration you have is for split tunneling.  This could also be the cause of your issue too, but it is not used on many tunnel groups.  For split tunneling you can only use a standard access list and specify the destination IP.

access-list split extended permit ip 192.168.205.0 255.255.255.0 10.1.105.0 255.255.255.0

group-policy TICsHOST internal
group-policy TICsHOST attributes
 wins-server value 192.168.205.10
 dns-server value 192.168.205.10
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain value icowpb.local
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout none
 client-firewall none
 client-access-rule none

So replate the current access list with the following.

access-list split standard permit 10.1.105.0 255.255.255.0
0

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question