Cisco ASA 5505 Site to Site VPN with VLANS and Segmented Interfaces.

Currently we have 5 sites with LAN and Voice traffic on different subnets. The sites look like this.

schema:
LANs: 192.168.201.x - 192.168.205.x
Voice: 10.10.1.x - 10.10.5.x

Site 1 - 4 Remote Offices:
Interface 0/1
Trunked
vlans allowed are voice and Lan

Sites 1-4 have worked flawlessly for years. We recently added a COLO (site 5), migrated the Phone System and Servers to VMware.

Site 5: (192.168.205.x LAN and 10.10.5.x Voice)
Interface 0/1
Switchport with LAN VLAN allowed
Interface 0/5
Switchport with VOICE VLAN allowed

All LAN traffic at every site works over the VPN, we can also ping the VOICE (10.10.5.x) network with 50-75 percent success. However when we do this ping all traffic everywhere blips for a couple seconds then comes back online. We are unable to access the phone system web portal from remote sites or COLO. I feel like there is a simple routing statement missing or NAT rule or access config that's been missed. Any help is appreciated. I've added the Site 5 (COLO) config below. I will add the other configs when they are sent to me. I'm working with another IT company on this project so I'm somewhat at their mercy.
TIC-COLO-Config.txt
myintellinetAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ernie BeekExpertCommented:
I've hidden the public IP addresses in your config file.
Be carefull showing your publics to everyone ;)
0
myintellinetAuthor Commented:
thx!
0
Marius GunnerudSenior Systems EngineerCommented:
One misconfiguration you have is for split tunneling.  This could also be the cause of your issue too, but it is not used on many tunnel groups.  For split tunneling you can only use a standard access list and specify the destination IP.

access-list split extended permit ip 192.168.205.0 255.255.255.0 10.1.105.0 255.255.255.0

group-policy TICsHOST internal
group-policy TICsHOST attributes
 wins-server value 192.168.205.10
 dns-server value 192.168.205.10
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain value icowpb.local
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout none
 client-firewall none
 client-access-rule none

So replate the current access list with the following.

access-list split standard permit 10.1.105.0 255.255.255.0
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.