Hi,

Me and my friend is currently setting up a Xen test environment.
As you can se from the picture below we are running a Cisco ASA 5505 to reach the network from the outside.
But the problem is that we want to reach the virtual pfSense's subnet's through the Cisco AnyConnect VPN.
And currently the pfSense's are only configured with a public ip and a virtual interface to the VM's.

We could be lazy and do a tunnel to the Cisco from each pfSense. I guess that could be a temporarily solution.
Or we could solve this problem by buying another PCI NIC, so that we have a physical link from the "pfSense box" to a tagged VLAN on the switch.
But we are having problems configuring the switch to general vlan's. Cause Xen can't have it's management interface on a tagged VLAN directly from the XenServer,
but the switch can tag the packet when it reaches the switchport.

Does anyone have any idea on how to solve this?



I would like to have "switchport general allowed vlan 2" for admin and 10 for "LAN"
And then trunk the port to the Cisco ASA.

But again, Xen stops me from doing this.



Regards.
Jonher937

Maybe I am not understanding this correctly, but generally with a setup like this you would trunk that lan vlan into your hypervisor/Xen and run that vlan all the way up to the ASA. Within your ASA you would then allow split tunneling for that LAN segments so you would get both of your 172.20.x.x networks.

_________________
"I will prepare and some day my chance will come." - Abraham Lincoln
http://danielhertzberg.wordpress.com - I blog about networks!

Thanks for your reply. I have tried trunking them, but without success. So I allowed VLAN 10 (LAN), 1 for Xen (Default VLAN) on both the XenPorts and the Cisco port. I even tried to configure the cisco interface as a trunk. No success there either. So now i've set a IP for the pfSense's on the LAN interface of the physical machines (172.20.20.X2)

Then I put a static route to both of the subnets, I can now ping all ip's on the pfSense subnets. Only thing that is left is setting up ACL's to be able to reach all networks over VPN.
I've tried many ACL's, then I gave up and tried Global (any to any).
The result when running "Packet trace" was: (acl-drop) flow is denied by configured rule

And I can't seem to figure out why....
I'm still very new to Cisco's ACL's and NAT's.