I have a difficult problem...Please forgive my ignorance.

I have a consumer-grade router called a "Fritz!Box 7390" on the edge of our network (in Germany -- very capable, very popular little box).

Following are the telephony characteristics:

• ISDN BRI is emulated but runs over IP (as far as I understand, Telekom is trying to move all their clients to this configuration, or at least some form of it)
• The device has two analog phone jacks and one ISDN -- we use all three: 1x for our regular telephone; 1x for our fax machine; 1x for a home office ISDN line

Next are the "WAN" characteristics:

• The device connects to Deutsche Telekom over VDSL at 50Mbps down / 10Mbps up
• The Fritz!Box allows for opening TCP/UDP ports to just a single device/IP address, not to an entire network
• We currently have HTTP, HTTPS, SMTP, and Microsoft's RDP protocols opened to various servers running on Hyper-V virtual machines
• We use Dyn's DDNS to resolve our internal Microsoft domain and Exchange servers
• The device does allow for establishing a default route to a particular network

Finally, the internal network specs on this device:

• 1x 100Mb port on the Fritz!Box connects to a Cisco/LinkSys SLM2008 switch that connects to the VMs and the NAS
• It acts as a WLAN access point for mostly consumer devices (tablets, smartphones, etc.)
• DHCP is provided from Windows Active Directory domain controllers
• DNS is also from AD DCs
• "One ring to rule them all" -- ahem! -- one common subnet for all servers and consumer devices, incl. game consoles, blue-ray players, the above-mentioned tablets and smartphones, WiFi printers, etc.

What I want to do (PLEASE tell me if I can't or if it's just too crazy):

• I want to put an ASA between the internal network and the edge
• I'd like to put VLANs internally, including one VLAN for client workstations, one VLAN for servers, and one VLAN for a Cisco lab, all on the (internal) "business" network
• I'd like network/application services to be able to pass from the "business" network through the ASA to both the "consumer" network and out to the Internet (and vice versa), including Exchange, Exchange web apps, access to a QNAP NAS, and access to an application running on SQL Server
• Longer-term I'd like to build a site-to-site VPN between this office and a remote site (has a Cisco 887), and I'd like to set up the VPN for direct client access from the Internet as well
• Longer-term I'd also like to create a DMZ and put the SMTP and HTTP servers there

What equipment I have in addition to the servers/NAS:

• ASA 5505
• Catalyst 2960 for the server "farm"
• Cisco 881 ISR

Right now everything works fine on the one common subnet. I tried splitting out the VLANs using the 881 and could ping everything from both sides but couldn't get the services to traverse to the "consumer" network, and, for example, couldn't get access from the Internet (or the consumer network) to the Exchange server. My Microsoft DNS also got messed up because of the subnet changes, though I think that was just a matter of letting things settle out for it to work. I was flummoxed.

I know I should be using a simple DSL modem on the edge and connecting that to the ASA, but I'm pretty sure that I can't easily mess up my telephony from Deutsche Telekom and I would lose my WAP.

Is there any way to keep this consumer network separate and add new VLANs/subnets for the business network? I actually have multiple PCs I'd like to have join the domain, but I can't really get there until I address this problem. I'd also like to get to lab devices over the Internet, even if that only means going through the 2511 terminal server.

If you think I should break up this post -- separate it out -- and/or post it in multiple communities, I'd be happy to. Just let me know.

Is there anyone who can help me with this thorny issue??

Regards,

jeremyNLSO

P.S. I can post the configs from the attempt with the 881 and 2960 if it's helpful...