We currently have 2 ASA 5510's with the base license at two different locations. There is a VPN set up between the two to allow internal traffic through. They both have a default route for internet. The network right now is 10.16.171.0\25 at locationa a. Location b network is 10.16.171.128\25
We had a new phone system installed and they are wanting it on a different network. So the end goal is to get a differnet network setup going across the same or different VPN and also allowing the different network to get online. Phone network at location a is 192.168.200.0\24 and location b is 192.168.201.0\24.
So is it possible to just configure another interface on the back of the ASA. For instance port 7 as 192.168.200.1. Configure all the phones and phone system for the default gateway of 192.168.200.1. That would have all phone traffic go to port 7 on ASA. Then enter a route for all 192 traffic to go across the proper VPN tunnel. And the internet traffic from the 192 networks would already be taken care of with the default route already in place.
Also if that is not possible, could we upgrade our license to something that would allow this to happen.
Any help is greatly appreciated.
My understanding is yes you can use port 7 as 192.168.200.1. Below are additional changes you may need to configure:
1. Change VPN access-list (add new subnets to the list) so that traffic from or to those two new subnets are permitted to enter VPN tunnel.
2. Change NAT access-list (add new subnets to the list) so that those two new subnets are able to access Internet, thoght it's not suggested for phone network to access Internet but as you mentioned it in your post then you can add then to the list if you like.
For the Base license on the ASA 5510, the maximum number of interfaces was increased from 3 plus a management interface to unlimited interfaces from 7.2(2). so it could be possible if you have a version > 7.2((2).
Don't forget to rate helpful posts.
With a 5505 base license you essentially get a inside VLAN and a restricted DMZ. Based on my expierence with them the restricted DMZ means that you can send traffic into the DMZ from the inside but not vice versa. So to run two internal subnets on a base license does not seem possible, thats the whole point of there licensing model. Want to do something cool, give us more money. Also with a full up ASA license you can definetly do routes. I worked at a place where we essentially deployed a ASA5505 as are our router and firewall. Then the sending the traffic over the tunnel is matter of setting up nat excemptions and editing your crypto map to send it threw the tunnel.