Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

site to site vpn design question

I am trying to design a solution for three site-to-site tunnels to three different customers via a ASA as the vpn endpoint on my end.  The customers connection are via T1 connections and there will be three 2811 routers in front of the ASA for the T1 connections. My diagram would look like this:

       customer a  ---------                                 -------------- t1 -------------   cisco2811  --------- <lan1> --------


       customer b  ---------            <internet>       -------------- t1 --------------   cisco2811 -----------<lan 2> -------         | ASA   | -----------   inside network


       customer c ---------                                   ------------- t1 --------------   cisco2811 -----------<lan 3> -------        

Looks like this could be my options, not sure if this would work, please comment.

-- Can I terminate three different physical links directly to the ASA and create three site to site tunnels with three different endpoint (peer) ip?  Can the ASA support three outside interfaces with same security zone 0?

-- My other options could be putting a switch between the 2811s and the ASA so it could possibly configure a single trunk to the ASA?

I only have two block of public ip addresses for each customer. (one block belongs to the T1 side, other block is the lan side).

Do anyone running into similar situation?


Cisco Employee

Re: site to site vpn design question

I would recommend terminating all the 3 VPN tunnels to just the 1 outside interface of the ASA for simplicity.

Basically, configure all the 2811 LAN with public ip range in the same subnet as the ASA outside interface, with switch connecting all the 3 routers and ASA outside interface. On the ASA, you would need to configure route for each of the customer's VPN peer IP and LAN subnets to be routed to the corresponding 2811 router LAN interface IP.

CreatePlease to create content