Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
363
Views
0
Helpful
4
Replies

S2S vpn between ASA5520 and 5505 with 2 subnets on diff VLAN

lepodaras
Level 1
Level 1

‎05-27-2013 02:13 PM - edited ‎03-11-2019 06:49 PM

Hi,

I hope somebody can tell me if the following situation is possible:

Site A:

ASA5520

VLAN data               subnet 172.16.10.x/24

VLAN Voice             subnet 10.0.0.x/24

Site B:

ASA5505 Base license

VLAN data               subnet 192.168.10.x/24

VLAN Voice (restr)    subnet 10.0.1.0/24

The callmanager is located on site A and needs to sent out DHCP-offers to site B through the VPN so the IP-phones can register to the callmanager.

I got the VPN up and running for the data-subnet but i can't get traffic through the voice-subnet/VLAN.

Can the ASA's do the job or do I need to route traffic before the ASA's on both sides and sent it through the tunnel, configured both subnets as interesting traffic?

Ofcourse the last situation I need to upgrade the license for the 5505 to gain more VLAN's.

Many thanks in advance,

Leonardo.   

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎05-27-2013 02:18 PM

Hi,

To my understanding you would need to configure DHCP Relay on the ASA which needs to send DHCP messages through the L2L VPN.

But I havent tested this. To my understanding this should be possible though.

- Jouni

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎05-27-2013 02:21 PM

Hi,

Here is a Blog post on these Firewall forums that handles the subject of relaying DHCP messages through VPN connection.

https://supportforums.cisco.com/community/netpro/security/firewall/blog/2011/01/07/asa-pix-dhcp-relay-through-vpn-tunnel

- Jouni

0 Helpful

lepodaras
Level 1
Level 1
In response to Jouni Forss

‎05-27-2013 02:31 PM

Hi Jouni,

Thanks for the swift reply,

Eventually the DHCP also needs to be configured, but I didn't came to that point yet because I'm not able to ping a host on the voice vlan from site A to B and v v.

Thanks for pointing out because that would be the second challange after this

Leonardo

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to lepodaras

‎05-27-2013 02:39 PM

Hi,

There should be no problem having multiple networks and interfaces on each ASA participating on the same L2L VPN connection.

Naturally if you have Base License on the ASA5505 and the Voice VLAN is a restricted interface then its possible that some traffic will be blocked because of this. The command "no forward interface Vlanx" stops the hosts behind this interface from initiating connections to the Vlanx direction but shouldnt stop hosts from Vlanx connecting to this restricted Vlan.

If that restricted Vlan isnt the problem then naturally one possible common cause would be that NAT0 configurations are missing for the networks that arent able to ICMP/PING each other.

Or there might be some error in the VPN configurations.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card