Cant route VLAN over VPN between Cisco ASA 5505 and Cisco 870

Question

We've had an existing VPN between a 5505 and 870 for some time. We've just added VLANs to the network on the 5505 side. We can't seem to figure out how to get devices on the VLANs to communicate with devices on the 870 network which have no VLANs. We're thinking we might have to use a router of sorts to handle the routing before hitting the ASA. We thought PFsense might work well.

We've been banging our heads against this thing for 2 days so any immediate help would be great. We're up against a deadline.

Thanks!!!

Answer 1

The answer from user61006 is not complete. Most 802.1q enabled switches (including the 5505) will allow you to define ports that have 802.1q tagging turned on or off and what default vlan untagged packets belong to. You can define ports that have multiple VLANs enabled so long as tagging is enabled on that port. The short of it is, if the 5505 is your only switch (small network to be VLANing...) you probably don't need to change anything, but assuming you have other switches, make sure all ports connected to between them and the 5505 have tagging on and that they are a member of any VLANs you want the 5505 to see/pass over the VPN. For instance, I have 3 VLANs, and on my primary switch, I have a trunk port defined that is a member of all 3 VLANs and has tagging turned on and untagged packets (though it receives none) are by default a member of vlan 1. The ASA5505 then is connected to that port and thus receives all necessary traffic from my switch on any of the VLANs. Of course due to the nature of switching, traffic between PCs on a switch does not need to traverse to other switches/the 5505.

Answer 2

Ignoring the 870 for a minute, and just concentrating on the 5505 side of the network, how do devices on different vlans communicate? Vlans are by default isolated from each other, and can't communicate with each other. What vlan is the port the 5505's "inside" interface is connected to on? The 5505 is only going to see traffic from that vlan. If you have routing setup between vlans, and you added a route to the 5505's inside interface, then traffic from those vlans could make it over the vpn tunnel to the other side, and you probably need routes on the other side to get the traffic back, unless you have a default route to the tunnel, or are running a dynamic routing protocol over the vpn.