I have lost the ability to access a terminal services server in a remote location and I think the issue is in the routing

Hello Experts,

Hello Cisco Experts,

I would like a second set of eyes to take a look at a configuration change that I think is going to work.  The background information is as follows:
1.      We are a city government agency.  The way our network is configured is we maintain the core and distribution layers of our network.  However, the access layer of our network is actually a network segment on the county’s network.  This is a fairly new configuration.  The decision was made to give up our access layer so that our agency could take advantage of the county’s network infrastructure.  As a result the county IT department provides network connectivity at the access layer and primary Internet connectivity.
2.      I have a remote office with a layer three switch in that location.
3.      We have both servers and workstations in the remote office.  The servers reside on network 192.168.100.0/24.  This network is defined and configured on the layer 3 switch in the remote location.  The workstations reside on the county network.  Connectivity between the servers and the workstations is established via layer 3 routing.
4.      In addition to the primary Internet connection via the county network, the remote location has a secondary internet connection through an ISP.
5.      There is a Cisco ASA between the secondary internet connection and the internal network.  The inside interface of the ASA is 192.168.100.253.

Prior to our agency surrendering the access layer to the county, our network was configured as follows:
1.      The servers and workstations in the remote site both resided on 192.168.100.0/24 network.
2.      The only connection to the Internet at the remote site was via the ISP link.  
3.      We had a terminal services gateway server in the remote site that allowed remote access to the network.
4.      The vlan configuration and routing table on the layer 3 switch when we controlled the access layer was as follows:

interface Vlan1
 no ip address
!
interface Vlan2
 ip address 192.168.100.254 255.255.255.0
!
interface Vlan105
 description GATEWAY_FOR_REMOTE_OFFICE_WORKSTATIONS
 ip address 192.168.105.254 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.100.253
ip route 10.0.0.0 255.0.0.0 Null0
ip route 10.1.5.0 255.255.255.0 192.168.99.1
ip route 10.1.6.0 255.255.255.0 192.168.99.1
ip route 10.1.100.0 255.255.255.0 192.168.99.1
ip route 10.1.101.0 255.255.255.0 192.168.99.1
ip route 10.1.102.0 255.255.255.0 192.168.99.1
ip route 10.1.150.0 255.255.255.0 192.168.99.1
ip route 10.10.10.0 255.255.255.0 192.168.99.1
ip route 10.110.100.0 255.255.255.0 192.168.99.1
ip route 10.110.101.0 255.255.255.0 192.168.99.1
ip route 10.110.105.0 255.255.255.0 192.168.99.1
ip route 10.110.110.0 255.255.255.0 192.168.99.1
ip route 10.110.112.0 255.255.255.0 192.168.99.1
ip route 10.110.113.0 255.255.255.0 192.168.99.1
ip route 10.110.114.0 255.255.255.0 192.168.99.1
ip route 10.110.200.0 255.255.255.0 192.168.99.1
ip route 10.110.201.0 255.255.255.0 192.168.99.1
ip route 10.110.220.0 255.255.255.0 192.168.99.1
ip route 10.110.250.0 255.255.255.0 192.168.99.1
ip route 10.110.251.0 255.255.255.0 192.168.99.1
ip route 159.87.125.0 255.255.255.0 192.168.99.1
ip route 159.87.127.0 255.255.255.0 192.168.99.1
ip route 192.78.147.0 255.255.255.0 192.168.99.1
ip route 103.132.14.90 255.255.255.255 192.168.99.1
ip route 103.132.14.138 255.255.255.255 192.168.99.1
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.26.107.0 255.255.255.0 192.168.99.1
ip route 192.168.0.0 255.255.0.0 Null0
ip route 192.168.16.0 255.255.255.0 192.168.100.253
ip route 192.18.118.0 255.255.255.0 192.168.99.1
ip route 192.5.201.58 255.255.255.255 192.168.99.1
ip route 207.165.91.200 255.255.255.255 192.168.99.1
ip route 207.165.91.201 255.255.255.255 192.168.99.1
ip route 208.145.119.122 255.255.255.255 192.168.99.1
ip route 208.145.119.124 255.255.255.255 192.168.99.1

Since the county has taken over our access layer, we have lost the ability to use the terminal services gateway server in the remote site to remotely access the network.  We want to get this functionality back.  I think the problem is in the routing.  The vlan configuration and routing table of the layer 3 switch in the remote location now is as:

interface Vlan1
 no ip address
!
interface Vlan2
 ip address 192.168.100.254 255.255.255.0
!
interface Vlan990
 description POINT-TO-POINT_CONNECTION_WITH_COUNTY
 ip address 10.147.255.249 255.255.255.248
!
ip route 0.0.0.0 0.0.0.0 10.147.255.250
ip route 10.1.5.0 255.255.255.0 192.168.99.1
ip route 10.1.6.0 255.255.255.0 192.168.99.1
ip route 10.1.100.0 255.255.255.0 192.168.99.1
ip route 10.1.101.0 255.255.255.0 192.168.99.1
ip route 10.1.102.0 255.255.255.0 192.168.99.1
ip route 10.1.150.0 255.255.255.0 192.168.99.1
ip route 10.10.10.0 255.255.255.0 192.168.99.1
ip route 10.110.100.0 255.255.255.0 192.168.99.1
ip route 10.110.101.0 255.255.255.0 192.168.99.1
ip route 10.110.110.0 255.255.255.0 192.168.99.1
ip route 10.110.112.0 255.255.255.0 192.168.99.1
ip route 10.110.113.0 255.255.255.0 192.168.99.1
ip route 10.110.114.0 255.255.255.0 192.168.99.1
ip route 10.110.200.0 255.255.255.0 192.168.99.1
ip route 10.110.201.0 255.255.255.0 192.168.99.1
ip route 10.110.220.0 255.255.255.0 192.168.99.1
ip route 10.110.250.0 255.255.255.0 192.168.99.1
ip route 10.110.251.0 255.255.255.0 192.168.99.1
ip route 16.112.10.132 255.255.255.255 192.168.100.253
ip route 159.87.125.0 255.255.255.0 192.168.99.1
ip route 159.87.127.0 255.255.255.0 192.168.99.1
ip route 192.78.147.0 255.255.255.0 192.168.99.1
ip route 103.132.14.90 255.255.255.255 192.168.99.1
ip route 103.132.14.138 255.255.255.255 192.168.99.1
ip route 192.26.107.0 255.255.255.0 192.168.99.1
ip route 192.168.16.0 255.255.255.0 192.168.100.253
ip route 192.18.118.0 255.255.255.0 192.168.99.1
ip route 192.5.201.58 255.255.255.255 192.168.99.1
ip route 207.165.91.200 255.255.255.255 192.168.99.1
ip route 207.165.91.201 255.255.255.255 192.168.99.1
ip route 208.145.119.122 255.255.255.255 192.168.99.1
ip route 208.145.119.124 255.255.255.255 192.168.99.1
no ip http server
no ip http secure-server

I think if I make the following changes to the routing, I should regain the same functionality I had prior to our surrendering the access layer to the county.  I'm hoping all of you can spot any flaws in my logic or configs.

!CONFIGURE RELOAD IN CASE I LOOSE CONNECTIVITY
reload in 10

!GO INTO CONFIGURTION MODE ON SWITCH
config t

!ADD SPECIFIC STATIC ROUTE TO WORKSTATIONS RESIDING ON COUNTY NETWORK
ip route 192.168.105.0 255.255.255.0 10.147.255.250

!ADD DEFAULT ROUTE POINTING TO INTERNAL INTERFACE OF ASA
ip route 0.0.0.0 0.0.0.0 192.168.100.253

!REMOVE EXISTING DEFAULT ROUTE POINTING TO COUNTY NETWORK
no ip route 0.0.0.0 0.0.0.0 10.147.255.250

There have been no changes on the ASA itself.

I know this is a way long post, but if you could take a look at the configs and tell me if I’m on the right track, I would appreciate it.

Regards
Nick
LVL 1
ndalmolin_13Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Benjamin Van DitmarsCommented:
Nick,


We have systems that look a lot like these.
we build them like this

Changes to you're ASA

ip address of the ASA
192.168.101.254 255.255.255.252

in the ASA make a route 192.168.100.0 255.255.255.0 192.168.101.253
so the network know the way back

ACL's and nat policies assigned to the "old network" 192.168.100.0/24 will still work, dont worry

Create a vlan let say 991 and give it an ip address like this
ip address 192.168.101.253 255.255.255.252
give it 1 untagged port to the asa

Route table layer 3 switch

ip route 10.1.5.0 255.255.255.0 10.147.255.249
ip route 10.1.6.0 255.255.255.0 10.147.255.249
ip route 10.1.100.0 255.255.255.0 10.147.255.249
ip route 10.1.101.0 255.255.255.0 10.147.255.249
ip route 10.1.102.0 255.255.255.0 10.147.255.249
ip route 10.1.150.0 255.255.255.0 10.147.255.249
ip route 10.10.10.0 255.255.255.0 10.147.255.249
ip route 10.110.100.0 255.255.255.0 10.147.255.249
ip route 10.110.101.0 255.255.255.0 10.147.255.249
ip route 10.110.110.0 255.255.255.0 10.147.255.249
ip route 10.110.112.0 255.255.255.0 10.147.255.249
ip route 10.110.113.0 255.255.255.0 10.147.255.249
ip route 10.110.114.0 255.255.255.0 10.147.255.249
ip route 10.110.200.0 255.255.255.0 10.147.255.249
ip route 10.110.201.0 255.255.255.0 10.147.255.249
ip route 10.110.220.0 255.255.255.0 10.147.255.249
ip route 10.110.250.0 255.255.255.0 10.147.255.249
ip route 10.110.251.0 255.255.255.0 10.147.255.249
ip route 159.87.125.0 255.255.255.0 10.147.255.249
ip route 159.87.127.0 255.255.255.0 10.147.255.249
ip route 192.78.147.0 255.255.255.0 10.147.255.249
ip route 103.132.14.90 255.255.255.255 10.147.255.249
ip route 103.132.14.138 255.255.255.255 10.147.255.249
ip route 192.26.107.0 255.255.255.0 10.147.255.249
ip route 192.18.118.0 255.255.255.0 10.147.255.249
ip route 192.5.201.58 255.255.255.255 10.147.255.249
ip route 207.165.91.200 255.255.255.255 10.147.255.249
ip route 207.165.91.201 255.255.255.255 10.147.255.249
ip route 208.145.119.122 255.255.255.255 10.147.255.249
ip route 208.145.119.124 255.255.255.255 10.147.255.249

ip route 0.0.0.0 0.0.0.0 192.168.101.254

these route are not used, because our default gateway is the asa

ip route 16.112.10.132 255.255.255.255 192.168.100.253
ip route 192.168.16.0 255.255.255.0 192.168.100.253

client address 192.168.100.1/24
You're clients and servers will have 192.168.100.254 as gateway


Test Sample private network

try to access 103.132.14.138

192.168.100.1 -> 192.168.100.254
192.168.100.254 - > 10.147.255.249 (route found to remote address)
10.147.255.249 -> ... some routers to host 103.132.14.138

I assume there is a route in the router of the private network that tells the way
back to 192.168.100.0/25 is 10.147.255.250


Test Sample internet

try to access 8.8.8.8

route

192.168.100.1 -> 192.168.100.254
192.168.100.254 - > 192.168.101.254 (ASA Because no Hit on route)
192.168.101.254 -> to outside internet

way back

to outside internet -> 192.168.101.254
192.168.101.254 - > 192.168.101.253 (route in asa)
192.168.101.253 - > 192.168.100.254 (layer 3 route)
192.168.100.254 - > 192.168.100.10


I hope this is a solution for you're problem if you have any questions just let me know

Benjamin
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.