cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
598
Views
4
Helpful
2
Replies

VPN from several sites to a central location

kasper123
Level 4
Level 4

We have several small offices that we would like to connect to a central site. The users at this sites have to use

some of the resources at the central site (servers, file sharing etc).

At the central site we are thinking to deploy an ASA 5510 as a VPN termination point (actualy 2xASA5510 in

failover).

We are still unsure what to install at the small offices.
At the moment we are thinking about 871 or 1841 that will connect to the central site using Eazy VPN with network

extension.

I have several questions regarding this design:
-Will the remote locations be able to communicate with each other through the central site since all of them will

be connected to the central site?

-Will the VPN tunnel be constantly up or will it go down if there is no traffic?

-Do we need fixed IP addressess at the remote sites?
-Is it better to use ASA5505 instead of the routers?

Would you suggest some better solution for this scenario?

Thank you in advance!

2 Replies 2

JORGE RODRIGUEZ
Level 10
Level 10

Yes you can , you may  reference this link https://supportforums.cisco.com/message/889330#889330

-Will the remote locations be able to communicate with each other through the central site since all of them will

be connected to the central site?

Yes , provided proper  nonat excempt  rules are configured   at spoke sites and HUB  to allow traffic among all  small sites via HUB asa5510.

-Will the VPN tunnel be constantly up or will it go down if there is no traffic?

In same scenarios while there is not traffic and tunnel remains idle for long period of time you will need to send traffic to bring up the tunnel.

To avoid this you can use keepalive at both tunnel end points to keep tunnel up while there is no traffic , see this link for reference http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution4

-Do we need fixed IP addressess at the remote sites?

Idealy you would want to have fix public  IP address in your remote site devices, if not feasable you can still create dynamic to static L2L vpns.

Reference these links for PIX/ASA to IOS  or ASA to ASA scenarios.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml 
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

Regards

Jorge Rodriguez

Thank you for taking the time to respond.

And what do you think is better to use in this situation: Cisco 5505 or Cisco 871?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: