Need help with VPN - ASA 5505 to ASA 5510

Unanswered Question

I'm trying to set up multiple site to site vpns with an ASA 5510 at the main site and 5505's at the remotes. I'd like to use the 5505's behind the existing internet routers at the remote sites, typically linksys or similar dsl routers.

At the main site there is a host with the private address of 10.1.X.Y which I need to have bidirectional connectivity with PC's at each remote site. The remote sites all have private IP's of 172.16.A.X, 172.16.B.X etc...

The 5510 has a public IP on the outside and the inside interface is in the same subnet as the 10.1.X.Y host that I need access to/from.

Assuming that I have a 5505 with 10 user license, is it possible to locate the 5505 BEHIND a linksys dsl router to allow 10 users on that private net to access the remote host over a tunnel?

What I was hoping I could do is configure 172.16.X.1 (the dsl router) as the default gateway, and have a static route on that router that points any traffic bound for 10.1.X.Y to 172.16.X.254 (the inside address of the asa 5505) which would then get to the host over the point to point VPN.

Is this possible? Any and all help GREATLY appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
whjvdam1 Thu, 08/09/2007 - 10:32

I have tried to understand your message.

Your question is:

Is it possible to locate the 5505 BEHIND a linksys dsl router to allow 10 users on that private net to access the remote host over a tunnel?

Yes that's possible. You first connect the dsl router to internet and behind this dsl router you connect the asa firewall. On the ASA you have to configure a public ip-address, so that you can setup the vpn tunnel between the ASA 5510 and ASA 5505.

ASA 5510 *==> internet ==> dsl router ==> ASA 5505

I don't have much knowledge about license of the ASA, but this is the way I would like to do it.

I am wondering why you use the 5505 ASA at the remote branch? If all the traffic is tunneled to the 5510 ASA why using 5505 ASA's? You can also buy a dsl router which can tunnel the traffic to the 5510 ASA. Filtering can than be done on the 5510 ASA.

Hope it helps!



sriggslev Thu, 08/09/2007 - 11:11

to create tunnel between sites you need to use public addresses assigned by ISP

You can not create a tunnel between sites using 10.x.x.x or 192.168.x.x etc

I believe there is a way to use the asa 5505 as termination and use DDNS and outside address provided by ISP... anyone have more???

whjvdam1 Thu, 08/09/2007 - 12:00

You also have vpn routers from Cisco.

I have used the 1762 with encryption module in a production environnement and I have never had problems. Maybey you can try it with a 2600 router with a encryption.

What you can do is configure the dsl router in bridge mode. In this way the ASA gets the ip address of the service provider. I am only not sure if you can configure the outside interface of the ASA as dhcp client.

By the way if you have to configure dhcp you have to use dynamic vpn what is less secure than static vpn.

Regards, Wouter

whjvdam1 Sat, 08/11/2007 - 07:13

What you also can do is Nat on the dsl router. Here I have something what I found on cisco website (

Enable NAT-Traversal (#1 RA VPN Issue)

NAT-Traversal or NAT-T allows VPN traffic to pass through NAT or PAT devices, such as a Linksys SOHO router. If NAT-T is not enabled, VPN Client users often appear to connect to the PIX or ASA without a problem, but they are unable to access the internal network behind the security appliance.

Note: With IOS 12.2(13)T and later, NAT-T is enabled by default in IOS.

Here is the command to enable NAT-T on a Cisco Security Appliance. The 20 in this example is the keepalive time (default).

PIX/ASA 7.1 and earlier

pix(config)# isakmp nat-traversal 20

PIX/ASA 7.2(1) and later

securityappliance(config)# crypto isakmp nat-traversal 20

If you want a example how to configure the asa, maybe you can use this link:




This Discussion