Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Branch-To-Branch connectivity


I have a question.

I have a couple of ASA 5510 (failover) at a central office and a couple of branch offices both connceted to the CO through an IPSEC VPN.

A classic hub-and-spoke.

Tunnels work fine for both branches but what I cannot manage to do is to reach one branch from the other, through the CO.

Is this possibile?

I checked the routing, the crypto ACL to be shure the traffic has a route and will be tunneled.

What shoul I consider further?

We will thing about DMVPN, in the future.

Really thanks you all for your help.


Hall of Fame Super Gold

Branch-To-Branch connectivity

This is a fairly common issue when implementing hub and spoke site to site VPN using ASA. The issue is that by default the ASA will not forward traffic back out the same interface on which it arrived. So think about this: a packet arrives from branch 1 on the ASA outside interface and has the destination as being branch 2. What does the ASA need to do? It needs to forward the traffic back out the outside interface. But by default the ASA does not do this.

You need the command same-security-traffic permit intra-interface. This will allow the ASA to forward back out the same interface on which the traffic arrived. Give it a try and let us know how it works.



CreatePlease to create content