Solved: ASA 5505 Site-to-site VPN with multiple networks

LocateSolution · ‎01-21-2013

Hello,

I have a problem configuring a Cisco ASA 5505 and hope you can help me.

Our company established a second facility, that should be connected using VPN to our headquarter.

I used the ASDM "Site-to-site VPN wizard" to create a connection, which works fine with our main network.

Following structure:

Headquarter:

Cisco ASA 5505, firmware 9.1, ASDM version 7.1

Outside: fixed IP

Inside: IP of the interface is 192.168.0.1/24 (data network)

Now I have a second network 192.168.1.0/24 (VoIP network), PBX address is 192.168.1.10.

Both networks should be accessible via VPN.

New Facility:

Cisco ASA 5505, firmware 9.1, ASDM version 7.1

Outside: fixed IP

Inside: IP of the interface is 192.168.2.1/24

I already created a connection, so that a PC from the new facility reaches the data network. E.g. a ping from 192.168.2.100 to 192.168.0.100 is possible.

Now, I would like to add some VoIP telephones to the new facility, that can reach the PBX on 192.168.1.10.

In the connection, I already added both networks as Remote network:

object-group network Testgroup
 network-object 192.168.0.0 255.255.255.0
 network-object 192.168.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip object-group Testgroup object Remote-Network

My problem is now, I don't know what to set as "Gateway" on my PBX.

I can't use 192.168.0.1 because it is another subnet. Also I can't set a second IP 192.168.1.1 to the interface of the ASA.

Do you have any ideas, how I can realize this, so that both subnets are accessible via VPN and all the devices have a gateway set?

Could a "Easy VPN Remote" in "Network extension mode" help me?

Whats the difference between "Site-to-site" and "Network extension"?

Kind regards,

Daniel Petat, locate solution GmbH

Jennifer Halim · ‎01-22-2013

You can possibly configure a new VLAN (the PBX VLAN) on the ASA and connect that interface to the Voice network.

If you don't have a spare port on the ASA, then yes, you would need to have a router to route the traffic from PBX to the ASA via the Data network.

View solution in original post

Jennifer Halim · ‎01-21-2013

I would stick with site-to-site vpn instead of Easy VPN NEM (Network Extension Mode) for your setup.

Can you pls share the full config on both HQ and New Facility so we can see if everything has been included in the configuration.

Pls check your NAT statement to see if you have configure NAT exemption for that VoIP network.

HQ should also have crypto ACL that include the VoIP network.

What is the gateway currently configured on your PBX? and what device is that? how is the routing on that device that is set as your PBX default gateway? If you can share a topology diagram that would help too.

LocateSolution · ‎01-22-2013

At the moment, the PBX has not gateway set, because it didn't need an internet connection (phone calls are transfered via ISDN). It is an "Innovaphone IP800" device.

So I think, I need another routing device between the ASA and the PBX?

I will try to get the configuration files and a topology diagram.

Jennifer Halim · ‎01-22-2013

You can possibly configure a new VLAN (the PBX VLAN) on the ASA and connect that interface to the Voice network.

If you don't have a spare port on the ASA, then yes, you would need to have a router to route the traffic from PBX to the ASA via the Data network.

LocateSolution · ‎01-25-2013

That was almost too easy..

You were right, I created a new VLAN at a spare port of the ASA, and it works fine now.

Didn't think about this solution, because our license usually allows only 2 VLANs (inside and outside).

I had to block the traffic from the new PBX-LAN to the inside-LAN before I could create it.

Thank you, problem solved.

Jennifer Halim · ‎01-25-2013

Excellent, good to hear it's working and thanks for the update.

Pls kindly mark your post answered so others can learn from it. Thank you.