Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to route intersite WAN traffic through IPS

Hello all,

We have a partial mesh setup w/Frame Relay. We have 10 remote sites connected via pvc's to the main site and a via pvc to a backup site. The main site and backup site are connected via a pvc. We are running EIGRP everywhere.

We have installed and ASA 5520 with an AIP-SSM-20 to guard our internet connection. What I would REALLY like to do is somehow pipe the intersite WAN traffic as it flows through the hub site through the IPS then out to the actual site.

At the hub site we have 1x 2650xm with 1 ethernet interface and 3x serial interfaces in a multilink frame bundle. 2x Cat 3750 48 SMI in a cluster and an ASA5520-AIP20. I have an extra 2610XM laying around.

I there any way to route the traffic through the ips? For the life of me i just can't get it in my head how to do it.

Thanks a bundle!!


Re: How to route intersite WAN traffic through IPS

Be nice if you had some more ethernet connections on your router. First option it to buys some more to make this less confusing but if that is not a option then.

There is a way to do this with a single interface but assume 2 for simpler firewall configuration.

Make sure you can define 802.1q interfaces on your 2650.

Create 2 new subinterfaces on the 2650 and 2 new vlans on the 3750. Plug the ASA inside and outside ports into ports defined on each vlan. Define point to point addresses between the ASA and the router.

Place policy routing in the pvc's forcing the traffic to go to the new subinterface that leads to the ASA's inside interface.

The traffic should pass thought he ASA and return to the router and be sent out the serial lines.

If you are running your frame interface point to multipoint... Ie you only have a single IP adderss at the central site that talks to all the remote sites... I am not sure if this will work.

If you have separate subinterfaces you can place policy routing on each.

The router is processing the packets multiple times now so be sure you do not overload it.