Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site VPN

Dear all,

I have a router 2811 with internet line of 2 Mbps in my head office and PIX 515e firewall bettwen the LAN and this router.

In another branch of my company, i have router 2811 with internet line of 1 Mbps and ASA 5510 firewall bettwen the LAN and this router.

Also, i have a dedicated MPLS line with 6 Mbps connect head office with the branch(between the two routers)

Finally i want to make a site to site VPN between the head office and the branch through the internet, so, how to be done and where on router or firewall.

Thanks a lot for your cooperation.


Re: Site to Site VPN


You need to configure VPN on the end device (i.e close to internet). To my understanding you have a following topology:-

----ASA----Router---[ Internet]---Router---ASA

If this is true, please refer the following sample configuration document link to configure VPN on Routers.

Configuring a Router IPsec Tunnel Private-to-Private Network with NAT and a Static

In this configuration example,
--The access-list 101 on R2 is used to define the interesting traffic for VPN.
--The access-list 175 on R2 is used to exempt the VPN interesting traffic from NAT on router. They keyword "DENY" is used for said purpose.

Similarly its done on Router 3 as well.

Note: You need the access-list 175, if you are doing NAT on router else its not required.




Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries