Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN Multisites with cisco ASA

Hi Everybody,

I have the HeadQuarter (HQ) and the Branch Offices (BO1, BO2, ...) and I want to establish a vpn site to site tunnel between the HQ and the BOs. this task was accomplished successfully, but i want also to permit communication between the differents BOs.

Do the differents BOs can communicate between them throught the HQ ? else, what is the solution to this scenario ?

NB: I avoid to create a full mesh vpn between the diffrents BOs, because i will have a long and complicated configuration.

Thank you for your understanding.

Best regards,


Super Bronze

VPN Multisites with cisco ASA


I think you simply need to configure the L2L VPN "interesting traffic" ACL in your VPN configurations to include the networks you want to communicate with eachother

Also you will need to create a NAT0 / NAT Exempt configuration on your HQ ASAs outside interface that will let all the traffic between remote sites pass unnated through the central ASA.

You will also check that you have the "same-security-traffic permit intra-interface" command configured on the HQ ASA. This will allow the ASA to send interface out on the same interface that it received the traffic. In this scenario it would basically mean traffic arriving and leaving from the outside interface.

If you need specific CLI configuration examples let me know.

Please also state your ASA firewalls software versions (since NAT configurations format depends on the software version)

- Jouni

New Member

VPN Multisites with cisco ASA


thank you for your feedback.

I have already tested the "interesting traffic" in the crypto map and the NAT Exempt. but I didnt test the "same-security-traffic permit intra-interface" configuration, this may be the reason ?



Super Bronze

Re: VPN Multisites with cisco ASA


Theres two of the "same security-traffic" commands.

They are:

same-security-traffic permit inter-interface

  • The above command enables communication between two ASA interfaces of the same security level.

same-security-traffic permit intra-interface

  • The above command enables communication between two hosts on the same interface. Basicly this lets the traffic/connection arrive on one interface and get routed back to the destination from it.
  • This applies to your situation with the multiple VPN sites as they are only using the outside interface of the ASA. Connections are arriving on the interface and also leaving from it.

Please rate if you found the information helpfull.

- Jouni

CreatePlease to create content