Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA behind a 2911 router

Hello Experts,

I was just trying to get my hands all wet in doing some not so weird of a configuration because i believe someone out there much more weird that i am must have done such.

Ok attached is a topolgy i have in my network and i was looking at attaining some level of VPN style configuration.  So here's the break down of each device config.


NAT configured

GRE Tunnel configured


NAT configured

Site-to-Site VPN configured

Remote VPN configured


Normal Firewall on routed mode

IPS services

Open Ports to reach my LAN

IP SLA Tracking to both edge routers

That's about whats configured on each device. So we have a current working L2L VPN to a third party vendor that's working perfectly on the 2811, now there's a need for a redaundant VPN configured to the same vendor. Actually the link on the 2811 is not so stable as that of the 2911. I was having a thought of configuring VPN on the ASA point it to the 2911 router. But i have the following fears.

  1. since i have Nat configured on the 2911, how much of impact would that be when configuring the vpn on the ASA . I know i have seen a vpn style config where the router doesn't do NAT but the ASA was, that made it easy to do NAT Exemption on the ASA.
  2. Is it possible for me to do the NAT exemption on the router instead of the ASA that's having the?
  3. I have an existing VPN traffic passing the outside interface of the ASA, adding a crypto map command to the outside interface for the VPN to the ASA wouldn't that complicate things to the existing one already.
  4. Can i go ahead and do a static NAT between the ASA and the Router, aim is for the traffic to go through.

So these are the few concerns i have about doing such style of VPN config. I am fully aware of having same topology and the router doesn't participate

in NAT but the ASA does the VPN.

I just wnat to get your two cents about what i am trying to achieve. I would appreciate your candid suggestion and opinion about this.



CreatePlease to create content