Site to Site VPN

Ahmed Yassin · ‎02-28-2010

Dear all,

I have a router 2811 with internet line of 2 Mbps in my head office and PIX 515e firewall bettwen the LAN and this router.

In another branch of my company, i have router 2811 with internet line of 1 Mbps and ASA 5510 firewall bettwen the LAN and this router.

Also, i have a dedicated MPLS line with 6 Mbps connect head office with the branch(between the two routers)

Finally i want to make a site to site VPN between the head office and the branch through the internet, so, how to be done and where on router or firewall.

Thanks a lot for your cooperation.

mopaul · ‎02-28-2010

Hi,

You need to configure VPN on the end device (i.e close to internet). To my understanding you have a following topology:-

----ASA----Router---[ Internet]---Router---ASA

If this is true, please refer the following sample configuration document link to configure VPN on Routers.

Configuring a Router IPsec Tunnel Private-to-Private Network with NAT and a Static
www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

In this configuration example,
--The access-list 101 on R2 is used to define the interesting traffic for VPN.
--The access-list 175 on R2 is used to exempt the VPN interesting traffic from NAT on router. They keyword "DENY" is used for said purpose.

Similarly its done on Router 3 as well.

Note: You need the access-list 175, if you are doing NAT on router else its not required.

HTH....

Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries