• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 401
  • Last Modified:

Cisco ASA 5505 Site to Site VPN with VLANS and Segmented Interfaces.

Currently we have 5 sites with LAN and Voice traffic on different subnets. The sites look like this.

schema:
LANs: 192.168.201.x - 192.168.205.x
Voice: 10.10.1.x - 10.10.5.x

Site 1 - 4 Remote Offices:
Interface 0/1
Trunked
vlans allowed are voice and Lan

Sites 1-4 have worked flawlessly for years. We recently added a COLO (site 5), migrated the Phone System and Servers to VMware.

Site 5: (192.168.205.x LAN and 10.10.5.x Voice)
Interface 0/1
Switchport with LAN VLAN allowed
Interface 0/5
Switchport with VOICE VLAN allowed

All LAN traffic at every site works over the VPN, we can also ping the VOICE (10.10.5.x) network with 50-75 percent success. However when we do this ping all traffic everywhere blips for a couple seconds then comes back online. We are unable to access the phone system web portal from remote sites or COLO. I feel like there is a simple routing statement missing or NAT rule or access config that's been missed. Any help is appreciated. I've added the Site 5 (COLO) config below. I will add the other configs when they are sent to me. I'm working with another IT company on this project so I'm somewhat at their mercy.
TIC-COLO-Config.txt
0
myintellinet
Asked:
myintellinet
1 Solution
 
Ernie BeekCommented:
I've hidden the public IP addresses in your config file.
Be carefull showing your publics to everyone ;)
0
 
myintellinetAuthor Commented:
thx!
0
 
Marius GunnerudSenior Systems EngineerCommented:
One misconfiguration you have is for split tunneling.  This could also be the cause of your issue too, but it is not used on many tunnel groups.  For split tunneling you can only use a standard access list and specify the destination IP.

access-list split extended permit ip 192.168.205.0 255.255.255.0 10.1.105.0 255.255.255.0

group-policy TICsHOST internal
group-policy TICsHOST attributes
 wins-server value 192.168.205.10
 dns-server value 192.168.205.10
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain value icowpb.local
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout none
 client-firewall none
 client-access-rule none

So replate the current access list with the following.

access-list split standard permit 10.1.105.0 255.255.255.0
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now