VPN Design Question

Unanswered Question
Aug 17th, 2010
User Badges:

Re - The attached picture

There are two secure sites, site A and site B. Administrators of the servers and network devices at each site and site site to site communication has to be secured by VPN.

Would the depicted design be possible whereby site to site communication is via a L2L IPSec VPN terminated on the ASA's at site A and B and with remote access IPSec VPNs terminated on the ASA at site A.

Presuming I am right in thinking that VPN can be enabled on multiple ASA interfaces, the only problem I can see, is whether administrators at site A, with remote access VPN configured on the ASA at site A, would be able to reach resources at site B over the L2L IPSec VPN.

Does anyone know of any design documents that I could use to help implement a solution like the one above. I have a potential customer that has the same solution in place on alternate vendor equipment.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
praprama Tue, 08/17/2010 - 08:36
User Badges:
  • Cisco Employee,


Yes that will indeed be possible. We will just need a little modification the ACLs that we specify for the crypto maps for site to site tunnel. here is a document for the same:


Basically, assuing the follwing:

VPN client assigned IP network: A

Site 1 network: B

Site 2 network: C

For the remote access VPN users, if we have split tunnelling enabled, we will need to permit the network C as well.

The crypto ACLs willl have to be moidified as below:

On site 1: in addition to the line from B ----> C, add another one from A -----> C

In addition, we need to enable intra-interface configuration. so we need to have:

same-security-traffic permit intra-interface

On site 2: in addition to the line from C -----> B, we need another opne from C ----> A

Hope this helps!!

All the best!!

Thanks and Regards,


paultribe Tue, 08/17/2010 - 09:01
User Badges:

Thanks for your reply, thats great. Basically you are saying that you have to make sure networks are defined for interesting traffic in the site to site crypto map to catch traffic destined for site B.

Am I right that an alternative method (Presuming a path/route exists), would be to enable remote access VPN on the ASA at site B also, and then administrators would simply need seperate profiles PCFs to access each site within their client. This would probabally be easier to implement also.



praprama Tue, 08/17/2010 - 09:16
User Badges:
  • Cisco Employee,

Hey Paul,

Yes that's right. That's the other alternative we have and yes that will be easier. But the first solution is the one u want if u want access to both sites simultaneously. If we have 2 separate PCFs for each site, at any point the client will have access to only the site he/she is connected to. At the end of the day, it all comes down to your requirement.

All the best!!




This Discussion