Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Scenario: Questions with ASA 5520 plus 2 1811's to another ASA 5520

Hi all,

I have a live placement happening in about a week and need some answers. Here is the basic layout of what we are trying to accomplish:

ASA 5520 with 2 internal networks (one is a DMZ with Web servers, the other an internal LAN) connecting via VPN tunnels to two remote 1811's, each with an internal LAN and the outside interfaces connecting to ISP routers, the other connection will be to another ASA 5520 via VPN on the outside interface also. Additionally, the Remote ASA 5520 will be connecting to the two 1811's on seperate VPN tunnels.

What is needed:

1. Need to ensure that ONLY VPN tunnel traffic is allowed through the 1811's ( meaning that nothing except VPN tunnel traffic can get to the internal LAN's on the inside interfaces of the 1811's...No NAT is configured on the 1811's,) does this require an access-list on the outside interfaces of the 1811's?

2. I need to set up a VPN group for remote clients to connect to he 1811's and the ASA's to allow them to connect and access internal lans and web proxy

3. The remote VPN client users currently are using the Symantec client on thier laptops/PC's ( the ASA will be replacing a Symantec SEF) so, I need a way to have the clients have both clients on their laptops/PC's for a limited time in case we have connection problems with the ASA VPN's and need to switch back to the SEF until any issues with the ASA's are resolved.

Can anyone assist with these questions? Any help would be appreciated, thanks!


Re: Scenario: Questions with ASA 5520 plus 2 1811's to another A

To allow only VPN traffic through the tunnel, you need not configure split-tunneling. Use split-tunneling only if you want some of your traffic to be send unecrypted to the Internet and the rest to be encrypted that goes to the remote lan.

CreatePlease to create content