Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

site to site vpn

Hi all,

My HQ office has site to site vpn established with all our subsidiaries.

Is it possible for the subsidiaries to communicate with each other using the site to site vpn link to HQ without creating another site to site vpn link between subsidiaries? The reason i am asking this is because we have establish an ip phone system where the ip PBX is located in HQ. We deploy some ip phones in the subsidiaries. The ip phone in the subsidiary could call ext no of phones located in HQ and communicate effectively. But when calls are made between 2 subsidiaries, the call could be established but voice could not be heard on both ends. Pls advise. THks in advance.

6 REPLIES
Hall of Fame Super Blue

Re: site to site vpn

wenbin_li wrote:

Hi all,

My HQ office has site to site vpn established with all our subsidiaries.

Is it possible for the subsidiaries to communicate with each other using the site to site vpn link to HQ without creating another site to site vpn link between subsidiaries? The reason i am asking this is because we have establish an ip phone system where the ip PBX is located in HQ. We deploy some ip phones in the subsidiaries. The ip phone in the subsidiary could call ext no of phones located in HQ and communicate effectively. But when calls are made between 2 subsidiaries, the call could be established but voice could not be heard on both ends. Pls advise. THks in advance.

Short answer is yes you can by modifying the crypto access-lists at HQ and the spoke sites so that each site can see every other site. If you have an ASA at HQ you will also need to allow traffic back out the same interface, a feature call hairpinning. But adding in each spoke and keeping track of it all can be a high administration overhead plus all traffic from spoke to spoke will have to go via HQ which when we are talking about things like VOIP only adds to the latency.

However this is not really the right solution. Cisco have a technology called DMVPN which allows dynamic tunnel setup between HQ and spokes and also spoke to spoke traffic and this is far better suited to your problem. Using DMVPN also means that spoke to spoke traffic would not have to go via HQ. There is a link below to the DMVPN page, there is PDF overview of the technology about halfway down -

http://www.cisco.com/en/US/customer/products/ps6658/index.html

Jon

New Member

Re: site to site vpn

Hi Jon,

Thk you for the advise. However i am unable to access the link you provided due to limited access of my account. Can you provide me any link on the internet that shows details of the implementation of DMVPN? Thks in advance.

New Member

Re: site to site vpn

Hi,

If my HQ is using cisco pix, can it support DMVPN?

Cisco Employee

Re: site to site vpn

The ASA/PIX do not do DMVPN, only routers can do it. It is a security technology that works in a hub and spoke setup.

Here is the config guide examples http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html#wp1087887

I hope it helps.

PK

New Member

Re: site to site vpn

Hi PK,

If my HQ is using a cisco pix firewall and my other regional sites are using cisco pix/asa firewalls, is it really impossible to implement DMVPN? Is there a workaround? Pls advise with configuration example if possible. Thks in advance.

Cisco Employee

Re: site to site vpn

You can use ezVPN or site to site VPN with dynamic map Though keep in mind that you will have the direct spoke to spoke communication. Everything you send between 2 spokes will go through the hub.

Example for the PIX with dnamic map http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml#configs

And example for ezVPN http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml

I hope it helps.

Rate useful posts.

PK

379
Views
0
Helpful
6
Replies
CreatePlease to create content