Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
324
Views
0
Helpful
0
Replies

A complex ASA configuration

cristiano.radicchi
Level 1
Level 1

‎09-27-2014 04:43 AM - edited ‎03-07-2019 08:54 PM

I have a rather complex configuration in my office network.
Rather compex, of course, from my perspective...
I have an ASA 5505 facing the internet through 2 CISCO routers under HSRP between them (10 mbps fiber optics link + copper 4 mbps SHDSL link).
On the internal side I have an HP 3800 L3 switch directly connected to the ASA and handling the internal routing between 5 VLANs (clients, servers, voip, mobile, site_2), where "Site_2" is a fiber optics L2 link to a remote premise of my company directly connected to a port of the L3 Switch.
All works fine.
The (so far) unresolved issue comes from the IPsec VPN remote access I am configuring on teh ASA, based on the CISCO VPN Client v5.x on the client side and on the Security Plus Bundle license on the ASA side.
I configured the ASA following the instructions in the firewall manuals and now I am able to successfully connect to the site from remote. I am also able to execute the ASDM from my remote client and to access the configuration options on the ASA.
The problem occurs when trying to browse the internal network and trying to access the servers on the inside LAN. No answers at all. No ping, no anything.
I suspect that the problem is on the internal routing handled by the L3 switch side-by-side to the ASA.

In fact, I configured the VPN local pool of IP addresses on a different subnet than the internal LAN (LAN: 192.168.1.0/24,  VPN range: 192.168.2.20-192.168.2.44).
The ASA is linked to the L3 switch by a single ethernet cable and the switch port where it is connected is configured to handle only the "Client_VLAN" (i.e. the 192.168.1.x subnet). Therefore I suspect that the switch simply ignores any packet coming from the ASA from the source address of the VPN pool (192.168.2.x).
I configured a VPN Vlan on the switch and the proper routing rules for it, but the switch can handle mixed traffic (i.e. coming from multiple VLANs) on one of its ports only if the traffic is tagged as per 802.1q spec.
To have the ASA forwarding traffic from both subnets on a single port (the one linked to the L3 Switch) I should configure the interface as a "trunk" and the L3 Port as "tagged" (the "untagged" ones can carry only a single VLAN traffic).
I made some tests but it, apparently, did not work. I was still unable to access the L3 switch from the ASA as well as -of course- the internal LAN.
Is it possible that 802.1q tagging is not compatible between CISCO and HP ?

Now I am stuck on this issue and -sincerely- without any further idea how to resolve it. 

A last chance could be to link the ASA to the L3 switch using 2 ethernet interfaces (one for the 192.168.1.x and the second for the 192.168.2.x) and configure the related ports on the switch as "untagged" (since they handle only 1 VLAN each).
I will try this next week, but any advice on this matter from the community will be greatly appreciated.
Thank you all in advance for your help...

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents