Re: Cisco ASA and InterVLAN routing

TMaster100 · ‎09-17-2018

Hi,

We have a data/voice network (VLAN1 and VLAN100 respectively), on the voice network resides our PABX server and i need to access the web interface of this device over our VPN network to which the ASA in question is a part thereof.

The data network on VLAN 1 is 192.168.1.0/24 and the Voice network on VLAN 100 is 192.168.100.0/24.

What sort of configuration is needed on the client side ASA so that i can access the 192.168.100.0/24 network over the other segments of our VPN network?

Cheers.

Joel · ‎09-18-2018

To clarify, the ASA is on the customer's site with connected interfaces in VLAN1 and VLAN100? You then have, I presume a site-to-site VPN or remote access VPN to the ASA from your end? Is this correct?

If so, for the VPN are you encrypting the interesting traffic of 192.168.100.0/24 from your blocks?

On the ASA you should have an ACL, which should be applied to a crypto map for example:

access-list client extended permit ip object-group client-networks object-group our-networks

crypto map outside-map 20 match address client.

The object-groups (client-networks) should have the objects with the necessary networks in i.e. 192.168.1.0/24 and 192.168.100.0/24. Our-networks should contain your netblocks for instance 10.10.10.0/24

If the VPN is fine and VLAN 100 is not connected to the ASA, you will need a route from the ASA to something which has a layer3 interface on both VLAN 1 and VLAN 100. If the ASA is connected to VLAN1 and a layer3 switch has an interface on VLAN1 and VLAN100, point a route from the ASA to 192.168.100.0/24 to the VLAN1 IP address on the layer3 switch.

It might be worth sharing some configuration of the ASA, if you require further help.

Joel