Cisco Support Community
Community Member

A Design Question


Please could someone help me with this.

We are planning to setup a network with a Head Office and 8 branch offices. All the branch offices have got less than 20 users and they need to access DB server and File server in HO. At present we have got Cisco 1900 ISR on all the branch offices and ASA 5505 in HO. Can we setup a VPN network between these sites. If so how do we design this? Is there a Cisco design documentation to do the same?

Many thanks in advance.

Regards, Tony
Cisco Employee

Hi ,You can check the

Hi ,

You can check the following excerpt from Cisco which states the current deployment available and select that suits you best.

Dinesh Moudgil

P.S. Please rate helpful posts.

Hi Yadhu, you can achieve it

Hi Yadhu,


you can achieve it via Lan to Lan VPN a kind of hub and spoke vpn where your asa is hub and all other routers are spokes...




Community Member

Hi, Really appreciate your



Really appreciate your help on this.

I could find Hub-and-Spoke and Full Mesh VPN Topologies on the link

Please could you let me know if there are some configuration examples available for these two types?

I would like to configure Standard IPsec VPN over the network. Also would like to know how the routing part is configured in this scenario.



Regards, Tony
Hall of Fame Super Silver

With the ASA at your head

With the ASA at your head office you cannot use DMVPN as your overlay so we typically fall back to the IPsec LAN-LAN VPN (sometimes referred to as site-site). There are many many configuration examples for this - see, for example, the ones under the heading "Site to Site VPN" here:

Withe respect to routing, the simplest method is if the 5505 and the remote site 1900 ISR routers are the default gateway for their respective site. If so, the the access-lists on each device identify traffic destined for one of the remote sites and encapsulate it into IPsec for transmission to the peer's public IP address. At the distant end it is received, decapsulated and passed on the the remote hosts.

Community Member

Hi Marvin,Many thanks for

Hi Marvin,

Many thanks for your reply.

So if I use 1900 ISR in Head Office could I perform a configuration similar to the example mentioned in ?

Also can you advice whether the following is a good approach ?

Or is there any other way I can configure a mesh topology using ISR routers alone (without using ASA)?

Thanks again.

Regards, Tony
Hall of Fame Super Silver

Of the two you mentioned just

Of the two you mentioned just now, the DMVPN is more scalable. The first example is a 7 year old document and many organizations find it much more labor intensive to keep up all of those manually configured access-lists and other configuration bits.

An even more flexible approach, although less well-documented due to its relative age, is FlexVPN. See the FlexVPN data sheet for an overview of its advantages:

Here are a couple of FlexVPN configuration examples:

Both DMVPN and FlexVPN allow you to route dynamically and establish tunnels in a mesh fashion as needed to reach all the sites, whether spoke-hub or spoke-spoke.

Community Member

Hi Marvin,Thank you for your

Hi Marvin,

Thank you for your help.

I will try FlexVPN and let you know if I face any issues. Your advises are much appreciated.

Many thanks.

Regards, Tony
CreatePlease to create content