Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN from site A to site C, via site B. Site B being my company.



I am hoping someone can shed some insight on this problem. We are running ASA 5520's and we have a site-to-site VPN to a client (site C). We would like to allow other clients from site A to VPN into us (site B) and route their VPN to site C.


Essentially we are trying to offer site A VPN access to site C, through us. Ideally, the clients from site A will be on their own subnet, or the same subnet of our site-to-site VPN to site C.


Thanks for taking the time to read this. I would be more than happy to provide any additional info. 




  • Small Business Security
Everyone's tags (1)

Wouldn't it be easier to just

Wouldn't it be easier to just create a L2L VPN tunnel between Site A and C?

I believe you could achieve this by creating rules that allows traffic from Site C to A and vice versa.

New Member

Would that involve

Would that involve configuration on site A and C?


The idea is that we have VPN access to site C, and want to offer site A the same access.

I think you would have less

I think you would have less configuration if you created L2L tunnel between A and C. If you go the other route I believe you will need to touch all firewalls to specify access to the subnets.

New Member

Hi,Do you have to terminate


Do you have to terminate the vpns on a ASA device? Do you have a Cisco router where you can terminate the vpns?

With a Cisco Router you can make two VTI tunnels:  A to B and B to C. Then routing between them.

You can place this router on one of the ASAs DMZs!


With the ASA is more difficult:

1.add the subnets to the interesting traffic (crypto acl) to the other vpn

2. nat exempt rules

3. More important the command: "same-security-traffic permit intra-interface" to permit traffic to come in and go out the same interface

Take a look at:


In my opinion the ASA is more suitable for remote access vpns, for L2L vpns I prefer a Cisco Router.


I hope this will help your decision.


Best regards,


Pedro Lereno

This widget could not be displayed.