Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Design Question

Re - The attached picture

There are two secure sites, site A and site B. Administrators of the servers and network devices at each site and site site to site communication has to be secured by VPN.

Would the depicted design be possible whereby site to site communication is via a L2L IPSec VPN terminated on the ASA's at site A and B and with remote access IPSec VPNs terminated on the ASA at site A.

Presuming I am right in thinking that VPN can be enabled on multiple ASA interfaces, the only problem I can see, is whether administrators at site A, with remote access VPN configured on the ASA at site A, would be able to reach resources at site B over the L2L IPSec VPN.

Does anyone know of any design documents that I could use to help implement a solution like the one above. I have a potential customer that has the same solution in place on alternate vendor equipment.

Cisco Employee

Re: VPN Design Question


Yes that will indeed be possible. We will just need a little modification the ACLs that we specify for the crypto maps for site to site tunnel. here is a document for the same:

Basically, assuing the follwing:

VPN client assigned IP network: A

Site 1 network: B

Site 2 network: C

For the remote access VPN users, if we have split tunnelling enabled, we will need to permit the network C as well.

The crypto ACLs willl have to be moidified as below:

On site 1: in addition to the line from B ----> C, add another one from A -----> C

In addition, we need to enable intra-interface configuration. so we need to have:

same-security-traffic permit intra-interface

On site 2: in addition to the line from C -----> B, we need another opne from C ----> A

Hope this helps!!

All the best!!

Thanks and Regards,


New Member

Re: VPN Design Question

Thanks for your reply, thats great. Basically you are saying that you have to make sure networks are defined for interesting traffic in the site to site crypto map to catch traffic destined for site B.

Am I right that an alternative method (Presuming a path/route exists), would be to enable remote access VPN on the ASA at site B also, and then administrators would simply need seperate profiles PCFs to access each site within their client. This would probabally be easier to implement also.



Cisco Employee

Re: VPN Design Question

Hey Paul,

Yes that's right. That's the other alternative we have and yes that will be easier. But the first solution is the one u want if u want access to both sites simultaneously. If we have 2 separate PCFs for each site, at any point the client will have access to only the site he/she is connected to. At the end of the day, it all comes down to your requirement.

All the best!!



CreatePlease login to create content