Cisco Support Community

IPSec VPN to multiple partners.

Hello, trying to figure out a good design for connecting multiple partners to our network. I currently have allocated to the task one router and one ASA5510. Having problems with my initial design concept and am looking for guidance on a new one.

The problem is this. We will need to connect to each partner via a different IPSec tunnel using pre-shared keys, each vendor might have different requirements for their tunnel, such as encryption type, etc. Each partner will then need to be ACL'd off to only allow access to those resources they've been approved for, or to allow our employees access to resources on their network(s). To one partner we might be able to just do simple PAT, allow all of our internal hosts to connect with a few of their hosts and share one outbound IP address. Another partner might require that we not use our internal RFC 1918 addresses, but instead provide them with public IP addresses and NAT them to our internal servers IP addresses.

I was thinking of using VLANS on the ASA and terminating each tunnel on a separate VLAN interface. But then while each partner would get its own "outside" interface for NAT, they would be sharing an "inside" interface.

Pretty new at this, looking for the best way to go on it. Any suggestions and/or configuration examples would be greatly appreciated!


Re: IPSec VPN to multiple partners.

The ASA can certainly handle all of that. I would terminate the VPN on the 'outside' connection and restrict each partner (

Re: IPSec VPN to multiple partners.

Hmm... We already have something similar to this for our client based VPN solution. Maybe I wasn't clear enough that this is a site-to-site VPN I'm working on now. So these partners will be connected 24x7 and will not have distinct client sessions that I can apply a policy to.

Re: IPSec VPN to multiple partners.

Each partner connection would be distinct though correct? You can then apply group policy to each of those. Or am I still not understanding something?

CreatePlease to create content