VPN between 2 offices aswell as their current VPN to HQ possible?

Unanswered Question
Jul 18th, 2008
User Badges:


I have 2 VPN's connected to my Cisco ASA 5520. These VPN's are 2 small remote offices and are using DSL lines with staic public IP's as their peer address. I have a Cisco 877 router at each office to connect them to the Cisco ASA.

These 2 offices now need to connect to each other and rather than route via the Cisco ASA can I create a VPN between the 2 offices so each Cisco 877 router has 2 VPN's - one to the HQ (Cisco ASA) and one to the other remote office?

These 2 office are based int he same country so it makes sense, out HQ is in another.

If so how? If useful I can attach one of the remote offices configs, that way I can see how the extra crypto config will look and how I can route the interested traffic to the right VPN?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Fri, 07/18/2008 - 05:16
User Badges:
  • Blue, 1500 points or more

do the remotes have static IP's? if so, you can easily create another site2site vpn on both routers.

if either have dynamic IP's, you will probably need to go with dmvpn.

or you may choose to go with dmvpn anyway. it requires a bit more up front configuration as you migrate to it, but if you plan on adding more remotes in the future, it save you time adding it to your vpn infrastructure.

whiteford Sat, 07/19/2008 - 03:20
User Badges:


They use static IP's. What is dmvpn? This could be useful!

Attached is one of the offices Cisco 877 configs. I have made the Cisco ASA's IP instead of the actual public IP. What config would I need to add if office 2's static IP was

The office 2 config is identical to the one attached apart from the local Ip range is


a.alekseev Sat, 07/19/2008 - 05:59
User Badges:
  • Gold, 750 points or more


crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key 1234567890 address

crypto isakmp key 1234567890 address remote2_ip



crypto ipsec transform-set MY_T_Set esp-aes 256 esp-sha-hmac


crypto map My_Crypto_Map 10 ipsec-isakmp

set peer

set transform-set MY_T_Set

match address 101

crypto map My_Crypto_Map 20 ipsec-isakmp

set peer remote2_ip

set transform-set MY_T_Set

match address 102


no access-list 101 permit ip any

!!!you must have mirror acl on HQ-ASA

access-list 101 permit ip HQ-NETS

!!!you must have mirror acl on remote2

access-list 102 permit ip remote2-NETS


This Discussion