Link to home
Start Free TrialLog in
Avatar of nBuck
nBuck

asked on

VPN to home office (ASA 5520) and site-to-site (871) between branches

I have had my ASA 5520 up and running with 60 branch offices connecting with 871 routers for 9 months. I also have connectivity between branches running through the ASA. However this is not practical now that I want to make VoIP calls between branches. No reason to tunnel from west coast to east coast and then back to west coast for a call that is only 200 miles from each other. I want to have my 871 routers build tunnels between themselves but still have connectivity back to the ASA. Before I post any configs I want to know if this was even possible with the hardware I am using.
Avatar of batry_boy
batry_boy
Flag of United States of America image

Yes, that is possible, but you will probably have to reconfigure your existing VPN tunnel crypto ACL's so that your branch-to-branch traffic doesn't get sent down the tunnel to the ASA anymore.  In short, you'll want to configure each branch router such that only the networks at the site behind the ASA get sent down the tunnel to the ASA, and then any other branch traffic gets sent down another specific VPN tunnel connected to the router at that branch...did that make sense?
Avatar of nBuck
nBuck

ASKER

I just figured this out about 5 minutes before you sent that in. I had attempted to do this 3 months ago and never got a chance to finish this and had to put it aside. An upcoming trip tomorrow brought the project back up in a hurry and I wanted to make sure it was even possible. I am using the EzVPN configuration for my connection from the 871 to the ASA and just a standard IPSec tunnel between sites. I would be happy to post my configs once I get this into production and fully tested next week.
Avatar of nBuck

ASKER

But I will still credit you the points.
Thanks!  Good luck!
Avatar of nBuck

ASKER

Well I take back part of what I said earlier. I have full connectivity from the EasyVPN Server 871 into my ASA 5520 and the 871 Easy VPN client.

The Easy VPN Client 871 has connectivity into the Easy VPN Server 871 but will not pass traffic to the ASA 5520. The tunnel shows up according to the ASDM from the ASA5520 bt no traffic will pass.

I read this:
http://www-europe.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ftezvpnr.htm#1121311

The part about Multiples Outside Interfaces, does that pertain to me? Can I not have two VPN connections on one outside interface?
ASKER CERTIFIED SOLUTION
Avatar of nBuck
nBuck

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial