Solved

Cisco ASA 5505 Site to Site VPN with VLANS and Segmented Interfaces.

Posted on 2013-01-24
3
396 Views
Last Modified: 2013-03-31
Currently we have 5 sites with LAN and Voice traffic on different subnets. The sites look like this.

schema:
LANs: 192.168.201.x - 192.168.205.x
Voice: 10.10.1.x - 10.10.5.x

Site 1 - 4 Remote Offices:
Interface 0/1
Trunked
vlans allowed are voice and Lan

Sites 1-4 have worked flawlessly for years. We recently added a COLO (site 5), migrated the Phone System and Servers to VMware.

Site 5: (192.168.205.x LAN and 10.10.5.x Voice)
Interface 0/1
Switchport with LAN VLAN allowed
Interface 0/5
Switchport with VOICE VLAN allowed

All LAN traffic at every site works over the VPN, we can also ping the VOICE (10.10.5.x) network with 50-75 percent success. However when we do this ping all traffic everywhere blips for a couple seconds then comes back online. We are unable to access the phone system web portal from remote sites or COLO. I feel like there is a simple routing statement missing or NAT rule or access config that's been missed. Any help is appreciated. I've added the Site 5 (COLO) config below. I will add the other configs when they are sent to me. I'm working with another IT company on this project so I'm somewhat at their mercy.
TIC-COLO-Config.txt
0
Comment
Question by:myintellinet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38814111
I've hidden the public IP addresses in your config file.
Be carefull showing your publics to everyone ;)
0
 

Author Comment

by:myintellinet
ID: 38814168
thx!
0
 
LVL 17

Accepted Solution

by:
MAG03 earned 500 total points
ID: 38825037
One misconfiguration you have is for split tunneling.  This could also be the cause of your issue too, but it is not used on many tunnel groups.  For split tunneling you can only use a standard access list and specify the destination IP.

access-list split extended permit ip 192.168.205.0 255.255.255.0 10.1.105.0 255.255.255.0

group-policy TICsHOST internal
group-policy TICsHOST attributes
 wins-server value 192.168.205.10
 dns-server value 192.168.205.10
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain value icowpb.local
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout none
 client-firewall none
 client-access-rule none

So replate the current access list with the following.

access-list split standard permit 10.1.105.0 255.255.255.0
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question