Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Network Infrastructure

Good day community. I do have a little bit of a struggle (well maybe alot) I need advice of the the Pros. Here is my scenario. We currently have a site-to-site VPN, voice and data networks on both sides. Our network is also flat and planning to implement VLANs. We have two ASA 5510 connecting the  vpn and cisco 2950 switches.

We now have a 2921 for VLAN routing.

Ok hopefully I am making sense, but if we now create vlans for our network, how will setup the vlans to talk to each other accross the VPN connection?

Can we currently keep both asa and the 2921? whats the best way to handle this task?

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Network Infrastructure


Two basic things are necessary in your situation:

1. The 2921s route the traffic for the remote site via the local ASA. If the ASA is already the default gateway for the 2921 that will happen automatically, otherwise you need to modify your routing so that happens (via either running a dynamic routing protocol on the ASA or simply putting a static route in each 2921).

2. When you setup a site-site VPN, the key bit (after identifying the peers to each other and their shared key etc.) is defining what traffic is "interesting". You define the remote networks in an access list on the ASA and the VPN refers to that access-list via a cryptomap. If also exempts that traffic from being NATted so it appears with its native address at the remote site.

If you use the Site-Site VPN wizard in ASDM (the ASA GUI), it will walk you through all the necesary steps to setup what I describe in #2 above.

Hope this helps, please rate helpful posts.

1 REPLY
Hall of Fame Super Silver

Re: Network Infrastructure


Two basic things are necessary in your situation:

1. The 2921s route the traffic for the remote site via the local ASA. If the ASA is already the default gateway for the 2921 that will happen automatically, otherwise you need to modify your routing so that happens (via either running a dynamic routing protocol on the ASA or simply putting a static route in each 2921).

2. When you setup a site-site VPN, the key bit (after identifying the peers to each other and their shared key etc.) is defining what traffic is "interesting". You define the remote networks in an access list on the ASA and the VPN refers to that access-list via a cryptomap. If also exempts that traffic from being NATted so it appears with its native address at the remote site.

If you use the Site-Site VPN wizard in ASDM (the ASA GUI), it will walk you through all the necesary steps to setup what I describe in #2 above.

Hope this helps, please rate helpful posts.

391
Views
0
Helpful
1
Replies