cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
360
Views
0
Helpful
3
Replies

VPN between 2 offices aswell as their current VPN to HQ possible?

whiteford
Level 1
Level 1

Hi,

I have 2 VPN's connected to my Cisco ASA 5520. These VPN's are 2 small remote offices and are using DSL lines with staic public IP's as their peer address. I have a Cisco 877 router at each office to connect them to the Cisco ASA.

These 2 offices now need to connect to each other and rather than route via the Cisco ASA can I create a VPN between the 2 offices so each Cisco 877 router has 2 VPN's - one to the HQ (Cisco ASA) and one to the other remote office?

These 2 office are based int he same country so it makes sense, out HQ is in another.

If so how? If useful I can attach one of the remote offices configs, that way I can see how the extra crypto config will look and how I can route the interested traffic to the right VPN?

Thanks

3 Replies 3

srue
Level 7
Level 7

do the remotes have static IP's? if so, you can easily create another site2site vpn on both routers.

if either have dynamic IP's, you will probably need to go with dmvpn.

or you may choose to go with dmvpn anyway. it requires a bit more up front configuration as you migrate to it, but if you plan on adding more remotes in the future, it save you time adding it to your vpn infrastructure.

Hi,

They use static IP's. What is dmvpn? This could be useful!

Attached is one of the offices Cisco 877 configs. I have made the Cisco ASA's IP 1.1.1.1 instead of the actual public IP. What config would I need to add if office 2's static IP was 2.2.2.2?

The office 2 config is identical to the one attached apart from the local Ip range is 172.19.1.0 255.255.255.0

Thanks

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key 1234567890 address 1.1.1.1

crypto isakmp key 1234567890 address remote2_ip

!

!

crypto ipsec transform-set MY_T_Set esp-aes 256 esp-sha-hmac

!

crypto map My_Crypto_Map 10 ipsec-isakmp

set peer 81.171.156.73

set transform-set MY_T_Set

match address 101

crypto map My_Crypto_Map 20 ipsec-isakmp

set peer remote2_ip

set transform-set MY_T_Set

match address 102

!

no access-list 101 permit ip 172.19.2.0 0.0.0.255 any

!!!you must have mirror acl on HQ-ASA

access-list 101 permit ip 172.19.2.0 0.0.0.255 HQ-NETS

!!!you must have mirror acl on remote2

access-list 102 permit ip 172.19.2.0 0.0.0.255 remote2-NETS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: