07-18-2008 04:38 AM - edited 02-21-2020 03:50 PM
Hi,
I have 2 VPN's connected to my Cisco ASA 5520. These VPN's are 2 small remote offices and are using DSL lines with staic public IP's as their peer address. I have a Cisco 877 router at each office to connect them to the Cisco ASA.
These 2 offices now need to connect to each other and rather than route via the Cisco ASA can I create a VPN between the 2 offices so each Cisco 877 router has 2 VPN's - one to the HQ (Cisco ASA) and one to the other remote office?
These 2 office are based int he same country so it makes sense, out HQ is in another.
If so how? If useful I can attach one of the remote offices configs, that way I can see how the extra crypto config will look and how I can route the interested traffic to the right VPN?
Thanks
07-18-2008 05:16 AM
do the remotes have static IP's? if so, you can easily create another site2site vpn on both routers.
if either have dynamic IP's, you will probably need to go with dmvpn.
or you may choose to go with dmvpn anyway. it requires a bit more up front configuration as you migrate to it, but if you plan on adding more remotes in the future, it save you time adding it to your vpn infrastructure.
07-19-2008 03:20 AM
Hi,
They use static IP's. What is dmvpn? This could be useful!
Attached is one of the offices Cisco 877 configs. I have made the Cisco ASA's IP 1.1.1.1 instead of the actual public IP. What config would I need to add if office 2's static IP was 2.2.2.2?
The office 2 config is identical to the one attached apart from the local Ip range is 172.19.1.0 255.255.255.0
Thanks
07-19-2008 05:59 AM
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key 1234567890 address 1.1.1.1
crypto isakmp key 1234567890 address remote2_ip
!
!
crypto ipsec transform-set MY_T_Set esp-aes 256 esp-sha-hmac
!
crypto map My_Crypto_Map 10 ipsec-isakmp
set peer 81.171.156.73
set transform-set MY_T_Set
match address 101
crypto map My_Crypto_Map 20 ipsec-isakmp
set peer remote2_ip
set transform-set MY_T_Set
match address 102
!
no access-list 101 permit ip 172.19.2.0 0.0.0.255 any
!!!you must have mirror acl on HQ-ASA
access-list 101 permit ip 172.19.2.0 0.0.0.255 HQ-NETS
!!!you must have mirror acl on remote2
access-list 102 permit ip 172.19.2.0 0.0.0.255 remote2-NETS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: