Solved

Vlan Routing

Posted on 2013-11-08
19
402 Views
Last Modified: 2013-11-14
We have a problem routing between vlans.

I can ping from vlan1 to vlan20 but unable to remote desktop to the Shoretel HQ server.

When a client is connected into vlan20 on the 172.16.0.0 range its fine.

Ideas?
0
Comment
Question by:CHI-LTD
  • 10
  • 7
  • 2
19 Comments
 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 400 total points
ID: 39633918
If you can ping, then connectivity is reaching back and forth between the vlans. What is providing your vlan routing. You could be blocking certain traffic at that point.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 39634998
Is RDP (3389 or 3390) traffic permitted across your vlans?


Just out of curiosity, disable the firewall on the server and try it again.
Use the same user account that works when you log in within the same vlan.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39638163
We dont have any firewalls on servers.

We can ping between vlan1 and vlan20 on the HP 2910al but unable to ping from vlan20 to vlan1 on the hp 1910..
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39638802
Okay, your original question didn't mention that you were pinging from switches. Can you post configs?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39638943
HP2910al POE:

Running configuration:

; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
power-over-ethernet pre-std-detect
ip authorized-managers 172.19.0.0 255.255.0.0 access manager
ip authorized-managers 172.16.0.0 255.255.0.0 access manager
ip default-gateway 172.16.10.15
no ip icmp redirects
ip route 0.0.0.0 0.0.0.0 172.16.10.15
interface 1
   name "to HP1910 (top)"
   no power-over-ethernet
   exit
interface 2
   name "tp HP1910 (bottom)"
   no power-over-ethernet
   exit
interface 3
   name "to ASA 5505 fe01"
   no power-over-ethernet
   exit
interface 4
   no power-over-ethernet
   exit
interface 5
   no power-over-ethernet
   exit
interface 6
   no power-over-ethernet
   exit
interface 7
   name "Shoretel E1k"
   speed-duplex 100-full
   exit
interface 8
   name "Shoretel SG90"
   speed-duplex 100-full
   exit
interface 9
   name "Shoretel SG90Bri"
   speed-duplex 100-full
   exit
interface 10
   name "Oaisys Port Mirror"
   exit
interface 11
   name "Shoretel HQ"
   exit
interface 12
   name "Ingate"
   exit
interface 48
   name "to ASA 5505 fe02"
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT"
spanning-tree
vlan 1
   name "DEFAULT_VLAN"
   no untagged 7-48
   untagged 1-6
   ip address 172.19.4.5 255.255.0.0
   exit
vlan 20
   name "Voice"
   untagged 7-48
   ip address 172.16.4.5 255.255.0.0
   ip helper-address 172.19.10.17
   exit
no autorun
password manager

Dont know how to get the 1910 off...
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39638970
ASA;

ASA Version 8.4(2)
!
hostname ChurchHouse-Sherborne
domain-name abz0.ifb.net
enable password PR6HuOoK9pk.2W7I encrypted
passwd F70teQHVkT1RhJoL encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 20
!
interface Ethernet0/3
 switchport access vlan 20
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 description To LAN
 nameif inside
 security-level 100
 ip address 172.19.10.15 255.255.0.0
!
interface Vlan2
 description To Internet
 nameif outside
 security-level 0
 ip address 188.39.71.98 255.255.255.248
!
interface Vlan20
 nameif Voice
 security-level 100
 ip address 172.16.10.15 255.255.0.0
!
banner login
banner login This system is private property.
banner login Unauthorised users are prohibited and must disconnect now.
banner login All actions are logged.
banner login
boot system disk0:/asa842-k8.bin
no ftp mode passive
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name abz0.ifb.net
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside-network
 subnet 172.19.0.0 255.255.0.0
 description Inside network
object network 10.255.254.0_25
 subnet 10.255.254.0 255.255.255.128
 description Hounslow Roam VPN
object network 10.255.255.0_25
 subnet 10.255.255.0 255.255.255.128
 description Yeovil Roam VPN
object network 192.168.3.0_24
 subnet 192.168.3.0 255.255.255.0
 description London LAN
object network 172.19.10.21_pop3
 host 172.19.10.21
object network Mimecast_DC_1
 subnet 135.196.24.192 255.255.255.240
object network Mimecast_DC_2
 subnet 213.235.63.64 255.255.255.192
object network Mimecast_DC_3
 subnet 94.185.244.0 255.255.255.0
object network Mimecast_DC_4
 subnet 212.2.3.128 255.255.255.192
object network Mimecast_DC_5
 subnet 212.199.232.144 255.255.255.248
object network Mimecast_DC_6
 subnet 195.130.217.0 255.255.255.0
object network Mimecast_DC_7
 subnet 91.220.42.0 255.255.255.0
object network 172.19.10.21_smtp
 host 172.19.10.21
object network 192.168.2.0_24
 subnet 192.168.2.0 255.255.255.0
 description Hounslow LAN
object network Bloomberg_1
 subnet 160.43.250.0 255.255.255.0
object network Bloomberg_2
 subnet 205.216.112.0 255.255.255.0
object network Bloomberg_3
 subnet 206.156.53.0 255.255.255.0
object network Bloomberg_4
 subnet 208.22.56.0 255.255.255.0
object network Bloomberg_5
 subnet 208.22.57.0 255.255.255.0
object network Bloomberg_6
 subnet 69.191.192.0 255.255.192.0
object network Proquote_1
 host 195.26.26.140
object network Proquote_2
 host 195.26.26.150
object network Proquote_3
 host 195.26.26.16
object network Proquote_4
 host 195.26.27.141
object network Proquote_5
 host 195.26.27.150
object network Proquote_6
 host 212.47.180.32
object network Proquote_7
 host 213.38.100.13
object network Proquote_8
 host 213.38.100.4
object network Proquote_9
 host 213.38.100.5
object network Proquote_10
 host 213.38.100.6
object network proxy137.scansafe.net
 host 80.254.152.99
object network proxy411.scansafe.net
 host 80.254.147.163
object network obj-vpn-london
 subnet 192.168.3.0 255.255.255.0
object network Mimecast_DC_8
 subnet 94.185.240.0 255.255.255.0
object network 172.19.10.17_ldap
 host 172.19.10.17
object network proxy493.scansafe.net
 host 80.254.158.179
object network proxy494.scansafe.net
 host 80.254.158.187
object network proxy503.scansafe.net
 host 80.254.158.211
object network proxy504.scansafe.net
 host 80.254.158.219
object network 172.19.10.21_http
 host 172.19.10.21
object network 172.19.10.21_https
 host 172.19.10.21
object network INGATE
 host 172.160.10.35
object-group network Mimecast
 description Mimecast email filtering sources
 network-object object Mimecast_DC_1
 network-object object Mimecast_DC_2
 network-object object Mimecast_DC_3
 network-object object Mimecast_DC_4
 network-object object Mimecast_DC_5
 network-object object Mimecast_DC_6
 network-object object Mimecast_DC_7
 network-object object Mimecast_DC_8
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ldap
 port-object eq pop3
 port-object eq smtp
object-group network DM_INLINE_NETWORK_1
 network-object object 10.255.254.0_25
 network-object object 10.255.255.0_25
 network-object object 192.168.2.0_24
 network-object object 192.168.3.0_24
object-group network Bloomberg
 network-object object Bloomberg_1
 network-object object Bloomberg_2
 network-object object Bloomberg_3
 network-object object Bloomberg_4
 network-object object Bloomberg_5
 network-object host 194.105.166.35
 network-object object Bloomberg_6
object-group network Proquote
 network-object object Proquote_1
 network-object object Proquote_2
 network-object object Proquote_3
 network-object object Proquote_4
 network-object object Proquote_5
 network-object object Proquote_6
 network-object object Proquote_7
 network-object object Proquote_8
 network-object object Proquote_9
 network-object object Proquote_10
object-group service DM_INLINE_SERVICE_1
 service-object tcp destination range 8194 8198
 service-object udp destination range 48129 48137
 service-object tcp destination range 8209 8294
object-group service DM_INLINE_TCP_2 tcp
 port-object range 2300 2400
 port-object eq 6969
object-group network DM_INLINE_NETWORK_2
 network-object object proxy137.scansafe.net
 network-object object proxy411.scansafe.net
 network-object object proxy493.scansafe.net
 network-object object proxy494.scansafe.net
 network-object object proxy503.scansafe.net
 network-object object proxy504.scansafe.net
object-group service DM_INLINE_SERVICE_2
 service-object tcp-udp destination eq domain
 service-object tcp destination eq 3101
 service-object tcp destination eq 4103
 service-object tcp destination eq 4105
 service-object tcp destination eq ftp
 service-object tcp destination eq www
 service-object tcp destination eq https
 service-object tcp destination range 49100 49200
object-group service DM_INLINE_TCP_3 tcp
 port-object range 1130 1132
 port-object eq 4800
 port-object eq 50110
 port-object range 50112 50115
 port-object range 50140 50142
 port-object range 50802 50803
 port-object range 50806 50808
object-group service DM_INLINE_TCP_4 tcp
 port-object eq ldap
 port-object eq pop3
 port-object eq smtp
object-group network DM_INLINE_NETWORK_4
 network-object object 192.168.2.0_24
 network-object 10.255.254.0 255.255.255.0
object-group network DM_INLINE_NETWORK_5
 network-object host 194.105.166.35
 group-object Mimecast
object-group network DM_INLINE_NETWORK_6
 network-object object proxy137.scansafe.net
 network-object object proxy411.scansafe.net
object-group network DM_INLINE_NETWORK_7
 network-object object inside-network
 network-object 10.255.254.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
 network-object 10.255.255.0 255.255.255.0
 network-object object inside-network
object-group network obj-CiscoCloud
 network-object 70.39.231.91 255.255.255.255
 network-object 70.39.231.107 255.255.255.255
 network-object 70.39.231.155 255.255.255.255
 network-object 70.39.231.171 255.255.255.255
 network-object 80.254.147.251 255.255.255.255
 network-object 80.254.158.35 255.255.255.255
 network-object 80.254.158.147 255.255.255.255
 network-object 80.254.158.155 255.255.255.255
object-group network DM_INLINE_NETWORK_8
 network-object object 10.255.254.0_25
 network-object object inside-network
object-group network DM_INLINE_NETWORK_9
 network-object 192.168.100.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list inbound extended permit object-group TCPUDP any range 1 65535 host 188.39.71.100 range 1 65535
access-list inbound extended permit object-group TCPUDP any range 6000 40000 host 188.39.71.100 range 6000 40000
access-list inbound extended permit object-group TCPUDP any range 1 65535 host 188.39.71.100 eq sip
access-list inbound extended permit icmp any host 80.76.122.145 echo-reply
access-list inbound extended permit icmp any host 80.76.122.145 source-quench
access-list inbound extended permit icmp any host 80.76.122.145 time-exceeded
access-list inbound extended permit icmp any host 80.76.122.145 unreachable
access-list inbound extended permit icmp any host 80.76.122.145 traceroute
access-list inbound extended permit icmp any object inside-network echo-reply
access-list inbound extended permit icmp any object inside-network time-exceeded
access-list inbound extended permit icmp any object inside-network unreachable
access-list inbound extended permit icmp any object inside-network traceroute
access-list inbound extended permit icmp any object inside-network source-quench
access-list inbound extended permit tcp object-group DM_INLINE_NETWORK_5 host 172.19.10.21 object-group DM_INLINE_TCP_1
access-list inbound extended permit tcp object-group DM_INLINE_NETWORK_5 host 172.19.10.4 object-group DM_INLINE_TCP_1 inactive
access-list inbound extended permit tcp object-group DM_INLINE_NETWORK_5 host 172.19.10.17 object-group DM_INLINE_TCP_1
access-list inbound extended permit tcp any object 172.19.10.21_http eq www
access-list inbound extended permit tcp any object 172.19.10.21_https eq https
access-list inbound extended permit ip any 172.16.0.0 255.255.0.0
access-list inbound extended permit udp any object INGATE eq sip
access-list inbound extended permit tcp any object INGATE eq sip
access-list inside_access_in extended permit ip 172.19.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_1
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 172.19.0.0 255.255.0.0 object-group Bloomberg
access-list inside_access_in extended permit tcp 172.19.0.0 255.255.0.0 host 81.168.26.81 object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit tcp 172.19.0.0 255.255.0.0 object-group Proquote object-group DM_INLINE_TCP_3
access-list inside_access_in extended permit tcp 172.19.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_2 eq 8080
access-list inside_access_in extended permit tcp 172.19.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_6 eq 8090
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 172.19.0.0 255.255.0.0 any
access-list inside_access_in extended permit tcp 172.19.0.0 255.255.0.0 host 77.73.1.127 eq ssh
access-list inside_access_in extended permit tcp host 172.19.10.17 object-group Mimecast object-group DM_INLINE_TCP_4
access-list inside_access_in extended permit tcp host 172.19.10.4 object-group Mimecast object-group DM_INLINE_TCP_4
access-list inside_access_in extended permit ip host 172.19.10.21 any
access-list inside_access_in extended permit tcp host 172.19.10.7 any eq 3101
access-list inside_access_in extended permit icmp 172.19.0.0 255.255.0.0 any
access-list inside_access_in extended permit ip any object-group obj-CiscoCloud
access-list inside_access_in extended permit tcp 172.19.0.0 255.255.0.0 host 212.102.222.248 eq 5677
access-list inside_access_in extended permit ip host 172.19.10.17 any
access-list inside_access_in extended permit tcp host 172.19.10.21 object-group Mimecast object-group DM_INLINE_TCP_4
access-list inside_access_in extended permit tcp host 172.19.10.28 any eq 3101
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4
access-list vpn-roam-split standard permit 172.19.0.0 255.255.0.0
access-list vpn-roam-split standard permit 192.168.3.0 255.255.255.0
access-list vpn-roam-split standard permit 192.168.2.0 255.255.255.0
access-list acl-vpn-london extended permit ip object inside-network object obj-vpn-london
access-list acl-vpn-london-dummy extended permit ip object-group DM_INLINE_NETWORK_7 object obj-vpn-london
access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_9
pager lines 24
logging enable
logging timestamp
logging buffer-size 16000
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Voice 1500
ip local pool vpnpool 10.255.255.1-10.255.255.127 mask 255.255.255.128
ip verify reverse-path interface inside
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 172.19.0.0 255.255.0.0 inside
icmp permit 194.105.167.0 255.255.255.192 outside
icmp permit host 194.105.166.224 outside
icmp permit 194.105.166.0 255.255.255.192 outside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,any) source static inside-network inside-network destination static 192.168.2.0_24 192.168.2.0_24
nat (any,any) source static 10.255.255.0_25 10.255.255.0_25 destination static 192.168.2.0_24 192.168.2.0_24
nat (inside,any) source static inside-network inside-network destination static 10.255.255.0_25 10.255.255.0_25
nat (inside,outside) source static inside-network inside-network destination static obj-vpn-london obj-vpn-london
nat (inside,any) source static inside-network inside-network destination static 10.255.254.0_25 10.255.254.0_25
nat (outside,inside) source static any any destination static INGATE INGATE
!
object network 172.19.10.21_pop3
 nat (inside,outside) static interface service tcp pop3 pop3
object network 172.19.10.21_smtp
 nat (inside,outside) static interface service tcp smtp smtp
object network 172.19.10.17_ldap
 nat (inside,outside) static interface service tcp ldap ldap
object network 172.19.10.21_http
 nat (inside,outside) static interface service tcp www www
object network 172.19.10.21_https
 nat (inside,outside) static interface service tcp https https
object network INGATE
 nat (inside,outside) static 188.39.71.100 service udp sip sip
!
nat (any,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 188.39.71.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable 8443
http 172.19.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
sysopt noproxyarp inside
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 212.102.222.228
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 188.39.121.250
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 10 match address acl-vpn-london-dummy
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer 81.171.221.234
crypto map outside_map 10 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 15
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 172.19.0.0 255.255.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5

dhcpd option 156 ascii ftpservers=172.16.10.30,layer2tagging=1,vlanid=20
!
dhcpd address 172.16.105.1-172.16.105.253 Voice
dhcpd dns 8.8.8.8 interface Voice
dhcpd enable Voice
!
!
tls-proxy maximum-session 12
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 194.105.167.1
ntp server 194.105.166.1
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 ssl-clientless
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev1
group-policy GroupPolicy_188.39.121.250 internal
group-policy GroupPolicy_188.39.121.250 attributes
 vpn-tunnel-protocol ikev1
group-policy VPN-Hounslow internal
group-policy VPN-Hounslow attributes
 vpn-tunnel-protocol ikev1
group-policy roam-vpn internal
group-policy roam-vpn attributes
 wins-server value 172.19.10.17 172.19.10.18
 dns-server value 172.19.10.17 172.19.10.18
 vpn-tunnel-protocol ikev1
 pfs enable
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn-roam-split
 split-dns none
username CommsAdmin password QcInhlcqc3PTxjrq encrypted privilege 15
tunnel-group 62.73.138.180 type ipsec-l2l
tunnel-group 62.73.138.180 general-attributes
 default-group-policy VPN-Hounslow
tunnel-group 62.73.138.180 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group roam-vpn type remote-access
tunnel-group roam-vpn general-attributes
 address-pool vpnpool
 default-group-policy roam-vpn
tunnel-group roam-vpn ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 81.171.221.234 type ipsec-l2l
tunnel-group 81.171.221.234 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 212.102.222.228 type ipsec-l2l
tunnel-group 212.102.222.228 general-attributes
 default-group-policy VPN-Hounslow
tunnel-group 212.102.222.228 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 188.39.121.250 type ipsec-l2l
tunnel-group 188.39.121.250 general-attributes
 default-group-policy GroupPolicy_188.39.121.250
tunnel-group 188.39.121.250 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:7b997c85aa057e2b52a759c3ff214695
: end
0
 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 400 total points
ID: 39639024
Is the ASA routing for the vlan or the HP? As for the HP 19, what default gateway do you have set on the switch, and are you properly trunking both vlans to the HP 29.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39639081
ASA doing the routing for vlans.
No DGW on the 19.
No trunks setup at all..
0
 
LVL 26

Accepted Solution

by:
Soulja earned 400 total points
ID: 39639120
What ip do you have configured on the 19? If you don't have  a default gateway set, it will not be able to ping a different subnet.

No trunks to the ASA?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 1

Author Comment

by:CHI-LTD
ID: 39639133
172.19.4.4 on the 19.  Cant see a DGw, and never had one configured on these 2x 1910s..
Ok, possibly 2x trunks; fe0/1 and fe0/2 for the vlan1 and vlan20..
fe0/1 going to the Hp 2910 on vlan1
fe0/2 going to the HP 2910 on vlan20

daisy chained from the 1910 to the 2910 on vlan1
0
 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 400 total points
ID: 39639189
Yep, you need a default gateway which would be 172.19.10.15.

Those two ports aren't trunks, but access ports. You need to tag both vlans to each in order for them to be trunks.  Make sure you have spanning tree enabled before you do so.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39639204
we have 172.19.10.15 as DGW for vlan1 machines.
we have 172.16.10.15 as DGW for vlan20 machines.

both are the ports on the ASA.

i have been told my the comms co STP set to off (on the switch)
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39639216
You are using separate ASA interfaces for the vlans?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39639244
yes, fe01 and 02
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39639384
Is there a reason you did it this way?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39640970
yes, as advised by my ISP
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39640971
and L3 switch by my telecoms co..
0
 
LVL 18

Assisted Solution

by:Akinsd
Akinsd earned 100 total points
ID: 39641525
Do a detailed packet trace between the source and destination to see where the traffic is dropping

packet-tracer input inside tcp 172.19.10.x 3389 172.16.10.x 3389 detailed
0
 
LVL 1

Author Closing Comment

by:CHI-LTD
ID: 39648437
changed the routing from asa to hp
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Netgear Switches 3 120
Wifi(LAN) GW being picked up 2 34
Low Cost Managed Switch 19 87
ProCurve ACL 5 53
The Zaptel people (www.zaptel.com) got kind of annoyed with the fact that they were getting bombarded with searches for the zaptel driver system for Asterisk (not to mention they own the trademark on zaptel). So, they kindly requested that Digium ch…
Hey there Heard about jingle, the add on for XMPP that enables point to point audio between two XMPP clients. No server config necessary. Actually quite a cool feature. However, how good is it if you can not use those voice capabilities to do a P…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now