Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN with two devices, same Encryption Domain behind two endpoints?

I got a VPN request form from one of our partners.

On my side I have one ASA 5520 running 8.0(3)

On their form, It says that their endpoints are two boxes, sitting on different cities

It also says that there is only one encryption domain, (actually just one IP) that I need to speficy on the VPN setting.

It looks like they mean that you could access the same encryption domain from any of the two Boxes in different cities.

This is strange to me, since every time I have set up VPN before, each endpoint has their own encryption domains.

I never seen two enpoints with the same encryption domain behind, so Im confused wether it might be a mistake on their part, or this is expected.

Have you seen something like that?

How will my ASA know which endpoint to use when directing traffic to their encryption domain?

Thanks guys


Cisco Employee

VPN with two devices, same Encryption Domain behind two endpoint


This is not that uncommon.

Quite typically the remote end would be connected on the backend via a separate cicuit, so it should not matter where you connect - dynamic routing will typically take care of anything else.

What you can do on ASA is to use BOTH the IPs on their side in one crypto map entry. This will cause ASA to use first IP and fallback to second if the first one fails.