Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 834
  • Last Modified:

Site to Site VPN Tunnel ASA 5505 with 2 VLANs

I have 2 Cisco ASA 5505 appliances.  1 has a security plus license and the other is the base license.  I need to connect a remote office using a VPN site-to-site tunnel.

At the main site I have Cisco switches setup on 2 VLANs.  VLAN20 for 192.168.2.0 network and VLAN10 used for an ESI IP Phone system that uses UDP/TCP ports 59101 and 59002.  The phone controller is at the main site with an IP of 192.168.1.50.  At the main site I'm wanting to use the sec plus license to allow both VLANs to connect to the internet and certain traffic into both VLANs as well, but I don't need interVLAN traffic.

At the remote site I'm planning on using a 192.168.3.0 network with 2 VLANs (10 & 20 as well).  There will be a couple IP phones connected to VLAN20.  I want their VLAN 10 internet traffic to go out through their respective WAN connection, but the IP phones to only connect to the main site through the VPN tunnel. If possible, I would also like for the remote site to be able to communicate with the main site at 192.168.2.0 network through the VPN tunnel.  I was planning on using the ASA 5505 base license at the remote site, but I may need to purchase a sec plus license for it as well to make this work.

I'm needing some help configuring both ends to make this all work.  I haven't configured either device yet,  and thought it would be a good idea to have an "expert" involved at this point.  I'm needing to know:

1) Will this work?
2) Is a security plus license required on both ends?
3) Given that it will work and that I have the correct equipment, can you provide me with some configuration guidelines for this scenario to get me started?
0
choelt
Asked:
choelt
2 Solutions
 
rscottvanCommented:
1.  Yes

2.  You will need Security Plus to have multiple internal VLANs, as well as if you have more than 10 client PCs inside the firewall.

3.  Start with the Site to Site VPN wizard in the web interface - you will probably be able to get it going using that.

Post specific questions and I'll try to answer them.
0
 
Henk van AchterbergSr. Technical ConsultantCommented:
The ASA 5505 base license has a DMZ Restricted feature which means you can have three networks of which one can not communicate with another.

So for example:

vlan 1: outside (WAN)
vlan 2: inside (LAN)
vlan 3: dmz (VOIP) (restricted to forward traffic to vlan 2)

In this setup you do not need a sec. plus license. Although if you want to use one cable with dot1q (with multiple vlans) you do need a sec. plus license.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now