cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
681
Views
0
Helpful
0
Replies
Beginner

VLAN/VPN Problem on ASA 5505

I have what seems to be a unique problem with a VLAN and VPN configuration on an ASA 5505. There are two buildings involved. Both buildings are linked with a wireless bridge on network 192.168.2.0/24. This works well for data, but the concern is VOIP phones will have a problem especially if the weather gets bad (this is Florida).  There is also a Cisco Series 300 PoE switch with 6 ports configured for Vlan30 in access mode where the phones are connected and one cable going to interface Ethernet0/2 on the ASA 5505 for access to the VPN.

So, Vlan30 was created for voice traffic, and an IPsec VPN tunnel is configured for Vlan30 across a broadband connection to another ASA 5505 connected via a T1. The problem is Vlan30 phones and computers, when configured with their own IP addresses, 192.168.30.0/24 with a gateway of 192.168.30.1, cannot get to the Internet nor can a tunnel be created to the other building (192.168.2.0/24) where the VOIP phone SIP server is located. The configuration is not trunked with multiple Vlan's  because there can be no access to the 192.168.2.0/24 network from the 192.168.30.0/24 network unless it goes across the VPN.  If a computer is plugged into a port on Vlan1, it gets to the Internet, but on Vlan30, no access to the Internet.  That is the crux of the matter.

I have included bits of the configuration below, which I believe to be relevant.  Any help would be most appreciated.

interface Vlan1

description Local network interface

nameif inside

security-level 100

ip address 192.168.2.253 255.255.255.0

!

interface Vlan2

description RR Broadband interface

nameif outside

security-level 0

ip address 10.1.1.1 255.255.255.252

!

interface Vlan30

description VOIP interface

nameif VOIP

security-level 90

ip address 192.168.30.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 30

                  

interface Vlan1

description Local network interface

nameif inside

security-level 100

ip address 192.168.2.253 255.255.255.0

!

interface Vlan2

description RR Broadband interface

nameif outside

security-level 0

ip address 10.1.1.1 255.255.255.252

!

interface Vlan30

description VOIP interface

nameif VOIP

security-level 90

ip address 192.168.30.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 30

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (VOIP) 0 access-list VOIP_nat0_outbound

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group VOIP_access_in in interface VOIP

route outside 0.0.0.0 0.0.0.0 24.227.43.217 1

access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit ip any any
access-list VOIP_access_in extended permit icmp any any
access-list VOIP_access_in extended permit tcp any any
access-list VOIP_access_in extended permit udp any any
access-list VOIP_access_in extended permit ip any any
access-list VOIP_nat0_outbound extended permit ip object-group Sales

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (VOIP) 0 access-list VOIP_nat0_outbound
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group VOIP_access_in in interface VOIP
route outside 0.0.0.0 0.0.0.0 24.227.43.217 1

Everyone's tags (3)
CreatePlease to create content
Content for Community-Ad