Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN spoke to spoke

I have a problem that I hope someone can help me with.

I have Cisco ASA 5515 at the head office and some Zyxel USG Routers on various remote locations.

I have made IPsec site-to-site VPN between ASA and Zyxel. My challenge now is that I also want to be able to access resources between sub-locations directly.

So people at the sub-location can communicate directly with each other I have attached a small drawing which shows a part of their network. What I want is that Site B can access resources on the Site C and vice versa.

Please help.


Hello, On this case regarding



On this case regarding the topology attached, the ASA 5515 will act as a Hub, because it can intercommunicate with the sub-locations with the IPSec Site to site:


Zyxel C(<--------->ASA(5515)A<------->Zyxel B(


Basically the Encryption domains defined on the access-list, we will have to add some entries for both sides:



ASA 5515X

1.Site to site between ASA and C

access-list Zyxel_C permit ip

2. Site to site Between ASA and B

access-list Zyxel_B permit ip


Those access control lists are part of the match address configuration within the crypto map configuration.


Then create NAT 0 for those statements, that are defined logically from <outside to outside>. Though It would really come in handy if you can attach either one of the following outputs:


- Show tech of the ASA and indicate which is the crypto map for site C and B

- Or just copy and paste the crypto map configuration along with the ASA version, also make sure the access control list of the encryption domain can be attached too.


David Castro

Cisco TAC Support Engineer, Team VPN