Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
347
Views
0
Helpful
1
Replies

site to site vpn design question

kope
Level 1
Level 1

‎05-07-2010 12:26 PM

I am trying to design a solution for three site-to-site tunnels to three different customers via a ASA as the vpn endpoint on my end.  The customers connection are via T1 connections and there will be three 2811 routers in front of the ASA for the T1 connections. My diagram would look like this:

       customer a  ---------                                 -------------- t1 -------------   cisco2811  --------- <lan1> --------

                                                                                                                                                               ______                                                                                                                            

       customer b  ---------            <internet>       -------------- t1 --------------   cisco2811 -----------<lan 2> -------         | ASA   | -----------   inside network

                                                                                                                                                               |______|

       customer c ---------                                   ------------- t1 --------------   cisco2811 -----------<lan 3> -------        

Looks like this could be my options, not sure if this would work, please comment.

-- Can I terminate three different physical links directly to the ASA and create three site to site tunnels with three different endpoint (peer) ip?  Can the ASA support three outside interfaces with same security zone 0?

-- My other options could be putting a switch between the 2811s and the ASA so it could possibly configure a single trunk to the ASA?

I only have two block of public ip addresses for each customer. (one block belongs to the T1 side, other block is the lan side).

Do anyone running into similar situation?

Thanks,

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎05-08-2010 01:38 AM

I would recommend terminating all the 3 VPN tunnels to just the 1 outside interface of the ASA for simplicity.

Basically, configure all the 2811 LAN with public ip range in the same subnet as the ASA outside interface, with switch connecting all the 3 routers and ASA outside interface. On the ASA, you would need to configure route for each of the customer's VPN peer IP and LAN subnets to be routed to the corresponding 2811 router LAN interface IP.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents