Cisco Support Community
Community Member

VPN netowrking strategy assistance

Currently, the network topology at my workplace is the following:

The main office/network (Fairbanks) is in the 10.9.x subnet, and connects to the outside world through a cisco ASA 5510 box.

Users on individual computers can use a vpn client to connect to the ASA, whereupon they are assigned an ip in the 10.8.x subnet. They can then access the rest of the local network.

We also have a number of outstations which are on various other 10.x subnets at their location (10.4.x, 10.5.x), which connect to the outside world through public internet services (cable modem, DSL, etc) these stations currently have no connectivity back to our main network.

We are looking at deploying a VPN solution for these outstations using VPN routers to connect back to the ASA box. Once connected, we would like the outstations to have full access to the rest of the network, including any other outstations that would be VPN'd in. Making a single VPN connection has proved simple enough- I was able to establish a tunnel from the 10.9.x subnet to the 10.5.x subnet with minimal effort. This, however, does not allow machines in other subnets, such as the 10.8.x subnet, to communicate with the 10.5.x machines.

From what I am seeing right now, I will need to set up on the ASA as well as each remote router a separate tunnel to go between each subnet I want to be able to communicate with. So, for example, I would need to set up a 10.9.x<==>10.5.x tunnel, a 10.8.x<==>10.5.x tunnel, a 10.4.x<==>10.5.x tunnel, etc, on both the ASA box and the remote router. That process would then have to be repeated for each outstation(10.4.x to each, 10.3.x to each, etc). While doable (we don't have THAT many outstations) this seems somewhat messy. Is there a better way to do this? Some way to set up a tunnel that says "All traffic going to 10.5.x, regardless of where it is coming from, goes over tunnel A" perhaps? The Subnets of the outstations are flexible, and can be changed if necessary, only the 10.9.x subnet has to remain as-is. Any ideas on how to set things up to enable as seamless communication between stations as possible is appreciated. Thanks!


Re: VPN netowrking strategy assistance

You could just create tunnels from each remote site to the main site (10.9.x.x) ASA. Then if they are set up properly (interesting traffic etc.), all of your remote networks will be able to communicate with eachother as well as main site. So it would really be





Community Member

Re: VPN netowrking strategy assistance

Thanks for the feedback. So if I understand you correctly, we'd essentially end up with a star topology. I have managed to make a tunnel that says "send all traffic from 10.x to 10.5.x (or whatever) over this tunnel) so that should be doable- the linksys VPN router that we are trying at the remote site didn't want to let me set it up that way at first (since the remote group-10.x conflicted with the local group-10.5.x), but it did let me do it. Would it be a better idea to go with a mesh topology perhaps? I would think this would get better performance (as we don't have to come all the way in and all the way back out, thus skipping at least one satellite link), but might the added complexity of that outweigh the performance benefits? It is of note that most, if not all, of the communication to our outstations has to go through satellite links, which incurs a rather high latency in the connection. Therefore, minimizing the path is generally desirable.


Re: VPN netowrking strategy assistance

Sorry, from your original post it sounded like you didn't want to create multiple tunnels at the remote sites. An obvious advantage of mesh would be the scenario if your main site were down, all remote sites could still commmunicate. Another thing to consider is whether your remote sites communicate mostly with the main site or with other remote sites.

Community Member

Re: VPN netowrking strategy assistance

Well, my goal here is to create the "best" system with the least amount of effort. I would rather not create multiple tunnels at the remote site if there is a "better" way of doing things, but if it is worth the effort, then I will. At this point I am just trying to see what my options are and figure out the best way. As far as communications go, most communication will be with the main site, with only a smaller amount of traffic between remote sites, so perhaps the increased latency of a star topology won't be an issue. It bears some thought. Anyway, thanks for the input, and if you have any other ideas I will willingly listen!

Community Member

Re: VPN netowrking strategy assistance

I have read up on a product by Cisco(the name escapes me at the moment) that would act as sort of a VPN server. Your remote sites would all connect to a central server which contains information about all of your sites. Lets say remote site 10.4.x.x needs to communicate with 10.6.x.x, the device would then create a P2P tunnel between the 2 sites, then tear down the session when it is complete. Again, it was just a blurb in an article, but it seemed to fit what you were looking into

CreatePlease to create content