Avatar of ndalmolin_13
ndalmolin_13
Flag for United States of America asked on

I have lost the ability to access a terminal services server in a remote location and I think the issue is in the routing

Hello Experts,

Hello Cisco Experts,

I would like a second set of eyes to take a look at a configuration change that I think is going to work.  The background information is as follows:
1.      We are a city government agency.  The way our network is configured is we maintain the core and distribution layers of our network.  However, the access layer of our network is actually a network segment on the county’s network.  This is a fairly new configuration.  The decision was made to give up our access layer so that our agency could take advantage of the county’s network infrastructure.  As a result the county IT department provides network connectivity at the access layer and primary Internet connectivity.
2.      I have a remote office with a layer three switch in that location.
3.      We have both servers and workstations in the remote office.  The servers reside on network 192.168.100.0/24.  This network is defined and configured on the layer 3 switch in the remote location.  The workstations reside on the county network.  Connectivity between the servers and the workstations is established via layer 3 routing.
4.      In addition to the primary Internet connection via the county network, the remote location has a secondary internet connection through an ISP.
5.      There is a Cisco ASA between the secondary internet connection and the internal network.  The inside interface of the ASA is 192.168.100.253.

Prior to our agency surrendering the access layer to the county, our network was configured as follows:
1.      The servers and workstations in the remote site both resided on 192.168.100.0/24 network.
2.      The only connection to the Internet at the remote site was via the ISP link.  
3.      We had a terminal services gateway server in the remote site that allowed remote access to the network.
4.      The vlan configuration and routing table on the layer 3 switch when we controlled the access layer was as follows:

interface Vlan1
 no ip address
!
interface Vlan2
 ip address 192.168.100.254 255.255.255.0
!
interface Vlan105
 description GATEWAY_FOR_REMOTE_OFFICE_WORKSTATIONS
 ip address 192.168.105.254 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.100.253
ip route 10.0.0.0 255.0.0.0 Null0
ip route 10.1.5.0 255.255.255.0 192.168.99.1
ip route 10.1.6.0 255.255.255.0 192.168.99.1
ip route 10.1.100.0 255.255.255.0 192.168.99.1
ip route 10.1.101.0 255.255.255.0 192.168.99.1
ip route 10.1.102.0 255.255.255.0 192.168.99.1
ip route 10.1.150.0 255.255.255.0 192.168.99.1
ip route 10.10.10.0 255.255.255.0 192.168.99.1
ip route 10.110.100.0 255.255.255.0 192.168.99.1
ip route 10.110.101.0 255.255.255.0 192.168.99.1
ip route 10.110.105.0 255.255.255.0 192.168.99.1
ip route 10.110.110.0 255.255.255.0 192.168.99.1
ip route 10.110.112.0 255.255.255.0 192.168.99.1
ip route 10.110.113.0 255.255.255.0 192.168.99.1
ip route 10.110.114.0 255.255.255.0 192.168.99.1
ip route 10.110.200.0 255.255.255.0 192.168.99.1
ip route 10.110.201.0 255.255.255.0 192.168.99.1
ip route 10.110.220.0 255.255.255.0 192.168.99.1
ip route 10.110.250.0 255.255.255.0 192.168.99.1
ip route 10.110.251.0 255.255.255.0 192.168.99.1
ip route 159.87.125.0 255.255.255.0 192.168.99.1
ip route 159.87.127.0 255.255.255.0 192.168.99.1
ip route 192.78.147.0 255.255.255.0 192.168.99.1
ip route 103.132.14.90 255.255.255.255 192.168.99.1
ip route 103.132.14.138 255.255.255.255 192.168.99.1
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.26.107.0 255.255.255.0 192.168.99.1
ip route 192.168.0.0 255.255.0.0 Null0
ip route 192.168.16.0 255.255.255.0 192.168.100.253
ip route 192.18.118.0 255.255.255.0 192.168.99.1
ip route 192.5.201.58 255.255.255.255 192.168.99.1
ip route 207.165.91.200 255.255.255.255 192.168.99.1
ip route 207.165.91.201 255.255.255.255 192.168.99.1
ip route 208.145.119.122 255.255.255.255 192.168.99.1
ip route 208.145.119.124 255.255.255.255 192.168.99.1

Since the county has taken over our access layer, we have lost the ability to use the terminal services gateway server in the remote site to remotely access the network.  We want to get this functionality back.  I think the problem is in the routing.  The vlan configuration and routing table of the layer 3 switch in the remote location now is as:

interface Vlan1
 no ip address
!
interface Vlan2
 ip address 192.168.100.254 255.255.255.0
!
interface Vlan990
 description POINT-TO-POINT_CONNECTION_WITH_COUNTY
 ip address 10.147.255.249 255.255.255.248
!
ip route 0.0.0.0 0.0.0.0 10.147.255.250
ip route 10.1.5.0 255.255.255.0 192.168.99.1
ip route 10.1.6.0 255.255.255.0 192.168.99.1
ip route 10.1.100.0 255.255.255.0 192.168.99.1
ip route 10.1.101.0 255.255.255.0 192.168.99.1
ip route 10.1.102.0 255.255.255.0 192.168.99.1
ip route 10.1.150.0 255.255.255.0 192.168.99.1
ip route 10.10.10.0 255.255.255.0 192.168.99.1
ip route 10.110.100.0 255.255.255.0 192.168.99.1
ip route 10.110.101.0 255.255.255.0 192.168.99.1
ip route 10.110.110.0 255.255.255.0 192.168.99.1
ip route 10.110.112.0 255.255.255.0 192.168.99.1
ip route 10.110.113.0 255.255.255.0 192.168.99.1
ip route 10.110.114.0 255.255.255.0 192.168.99.1
ip route 10.110.200.0 255.255.255.0 192.168.99.1
ip route 10.110.201.0 255.255.255.0 192.168.99.1
ip route 10.110.220.0 255.255.255.0 192.168.99.1
ip route 10.110.250.0 255.255.255.0 192.168.99.1
ip route 10.110.251.0 255.255.255.0 192.168.99.1
ip route 16.112.10.132 255.255.255.255 192.168.100.253
ip route 159.87.125.0 255.255.255.0 192.168.99.1
ip route 159.87.127.0 255.255.255.0 192.168.99.1
ip route 192.78.147.0 255.255.255.0 192.168.99.1
ip route 103.132.14.90 255.255.255.255 192.168.99.1
ip route 103.132.14.138 255.255.255.255 192.168.99.1
ip route 192.26.107.0 255.255.255.0 192.168.99.1
ip route 192.168.16.0 255.255.255.0 192.168.100.253
ip route 192.18.118.0 255.255.255.0 192.168.99.1
ip route 192.5.201.58 255.255.255.255 192.168.99.1
ip route 207.165.91.200 255.255.255.255 192.168.99.1
ip route 207.165.91.201 255.255.255.255 192.168.99.1
ip route 208.145.119.122 255.255.255.255 192.168.99.1
ip route 208.145.119.124 255.255.255.255 192.168.99.1
no ip http server
no ip http secure-server

I think if I make the following changes to the routing, I should regain the same functionality I had prior to our surrendering the access layer to the county.  I'm hoping all of you can spot any flaws in my logic or configs.

!CONFIGURE RELOAD IN CASE I LOOSE CONNECTIVITY
reload in 10

!GO INTO CONFIGURTION MODE ON SWITCH
config t

!ADD SPECIFIC STATIC ROUTE TO WORKSTATIONS RESIDING ON COUNTY NETWORK
ip route 192.168.105.0 255.255.255.0 10.147.255.250

!ADD DEFAULT ROUTE POINTING TO INTERNAL INTERFACE OF ASA
ip route 0.0.0.0 0.0.0.0 192.168.100.253

!REMOVE EXISTING DEFAULT ROUTE POINTING TO COUNTY NETWORK
no ip route 0.0.0.0 0.0.0.0 10.147.255.250

There have been no changes on the ASA itself.

I know this is a way long post, but if you could take a look at the configs and tell me if I’m on the right track, I would appreciate it.

Regards
Nick
Switches / Hubs

Avatar of undefined
Last Comment
Benjamin Van Ditmars

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Benjamin Van Ditmars

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck