Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Designing a hub and spoke vpn with 5510(Hub) and sonicwall tz100(spoke)

Currently we have a hub and spoke VPN network with ATT. They cost to much, so we decided to design our own VPN network.

ASA 5510 and multiple TZ100 (Sonicwall)

What I'm wrestling with is trying to understand how ATT is doing it.

We have the beginnigs of our network up. The ASA 5510, and 2 endpoints. ASA5505 and a TZ100.

Att's network consist of a Cisco VPN 3000 and numerious netgates (Sg7100). Those are rebranded snap gear or secure computing endpoints.

I've worked a bit with cisco getting the tunnels configured.

This is what I'm not understanding.

Here's a picture of the vpn network

                                                  /--- Netgate

CiscoVPN 3000 ( ----netgate    (etc for all /24's in


Also, I'm not sure if ATT set same-security-traffic permit intra-interface or I suspect it's the setting of OSPF and RRI that allows me at to go over the VPN tunner to any endpoints on

ie.. ---VPN Tunnel ---

My network is not working like ATT has theirs set up.

1st. In configuring my network, cisco had me assign a static route in one of the endpoints (hub) to just reach the from the network. Moving forward, to reach I can only assume I need to add a route fror to reach the other enpoints from and other endpoint.

2nd. These ATT endpoints are not very configurable. Granted, ATT probably has it locked down with their firmware, but can't see ATT pre configuring the router with static routes. Their VPN 3000 in my opirion has to be updating the routes in the endpoint. ( (


3rd, in moving our network, I asked ATT to move 2 /24's and point them to our ASA from the Cisco VPN 3000.

They said that would be a problem cause we have reverse route injection enabled.

I have limited knowledge of RRI. Would this be the setting that causes the endpoints routing table to be updated from the cisco vpn 3000?

Anyone have any suggestions on how to implement what I trying to do?

Basically, I would like to control more of the routing from ASA 5510 if possible.

Thanks in advance.

CreatePlease login to create content