Solved

Cisco ASA 5505 Site to Site VPN with VLANS and Segmented Interfaces.

Posted on 2013-01-24
3
393 Views
Last Modified: 2013-03-31
Currently we have 5 sites with LAN and Voice traffic on different subnets. The sites look like this.

schema:
LANs: 192.168.201.x - 192.168.205.x
Voice: 10.10.1.x - 10.10.5.x

Site 1 - 4 Remote Offices:
Interface 0/1
Trunked
vlans allowed are voice and Lan

Sites 1-4 have worked flawlessly for years. We recently added a COLO (site 5), migrated the Phone System and Servers to VMware.

Site 5: (192.168.205.x LAN and 10.10.5.x Voice)
Interface 0/1
Switchport with LAN VLAN allowed
Interface 0/5
Switchport with VOICE VLAN allowed

All LAN traffic at every site works over the VPN, we can also ping the VOICE (10.10.5.x) network with 50-75 percent success. However when we do this ping all traffic everywhere blips for a couple seconds then comes back online. We are unable to access the phone system web portal from remote sites or COLO. I feel like there is a simple routing statement missing or NAT rule or access config that's been missed. Any help is appreciated. I've added the Site 5 (COLO) config below. I will add the other configs when they are sent to me. I'm working with another IT company on this project so I'm somewhat at their mercy.
TIC-COLO-Config.txt
0
Comment
Question by:myintellinet
3 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38814111
I've hidden the public IP addresses in your config file.
Be carefull showing your publics to everyone ;)
0
 

Author Comment

by:myintellinet
ID: 38814168
thx!
0
 
LVL 17

Accepted Solution

by:
MAG03 earned 500 total points
ID: 38825037
One misconfiguration you have is for split tunneling.  This could also be the cause of your issue too, but it is not used on many tunnel groups.  For split tunneling you can only use a standard access list and specify the destination IP.

access-list split extended permit ip 192.168.205.0 255.255.255.0 10.1.105.0 255.255.255.0

group-policy TICsHOST internal
group-policy TICsHOST attributes
 wins-server value 192.168.205.10
 dns-server value 192.168.205.10
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain value icowpb.local
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout none
 client-firewall none
 client-access-rule none

So replate the current access list with the following.

access-list split standard permit 10.1.105.0 255.255.255.0
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question