Cisco 881 to ASA 5510 Site-to-Site VPN - How to ?

Hello to all Cisco experts

I have few questions regarding VPN tunnels between Cisco 881 and ASA 5510

I am supposed to built few of them with 881 at the branches ends and 5510 at my central location.

The questions I have are mostly in regards with 881 at the branch ends. I got these routers directly from Cisco for a project pilot we are running with them for one of our important customer.  Beside the console port the following ports are available on the back panel

A FastEthernet switch  with 4 ports  (FE0 to FE3)
One FEWAN  port marked as FEWAN  (FE04 in configuration file)
A virtual LAN VLAN1 which of course does not have a physical port, so my assumption is that the switch ports   FE0 to FE3 are part of this VLAN1

All I need is to create VPN tunnels  between these routers and my ASA 5510.  

Here are my question:

1. It appears that an IP  can be assigned to interfaces VLAN1 and FE04 only. I think the VLAN1 is for internal IP an FastEthernet4 for external IP.  What is the approach here?

       a. Put the DSL modem in bridge mode and assign the external  IP to FEWAN  FE04 and Interal IP to the VLAN1 interface (this IP will act as gateway for internal subnet)
       b.  Put the DSL in bridge mode and configure 881 to act as PPPoE client ?

2. Is there a good document how to set this up ?

Thank you for taking the time to read and (hopefully) reply to my question


Who is Participating?
Garry GlendownConnect With a Mentor Consulting and Network/Security SpecialistCommented:
1. You can configure the switch ports to specific VLANs, thereby adding more routed ports ... just do something like "int fa3", "switchport access vlan 2", after that you can use that port for hooking up additional devices or PPP links.
As for the WAN port, for one Î'd recommend getting the 887 (I assume Annex A for the US) to directly connect to the DSL line without a modem, after all it's about the same price as the 881, but you can go without the extra box.
Anyway, after picking the WAN port (as e.g. FE4), set up the PPPoE dialer to connect to the internet. This is pretty straightforward, config samples are available at Cisco ( has several samples)

2. yes. ;) See above. As for the VPN, there's also multiple examples available on the Cisco site, e.g. (using SDM on the Router side)
BibecuAuthor Commented:
Thank you very much for your prompt answer.  Well, I had no choice in choosing the routers, this is the model Cisco sent to us to use in this demo

I have the ISP provider installing the DSL line tomorrow and then start doing the work on Monday.  I have 14 branches to go to  !

I will keep you posted how it works

Garry GlendownConsulting and Network/Security SpecialistCommented:
For testing, the 881 should be fine ... as for the config, the only difference between it and the 887 is the interface you add the dialer group to ... so if you have everything working with the 881, you just need to configure a couple extra lines for the ATM interface and you're done ...

If the project heads toward implementing, I'd opt for an 880VA series - they're actually cheaper than the current 870 series routers, more or less same price as the non-VA router, but covers both ADSL2+ _AND_ VDSL ...
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

BibecuAuthor Commented:
Thanks Garry,

If it works (the Engery Management Software we install for the client)  then Cisco and I will work with the client (big financial institution here up north in Canada) to do a site to site firewall to firewall as a permanent solutions. Their security did not want to get involved at this point, only if the pilot is successful
I guess they have enough headache with the frauds and all sort of attacks
Garry GlendownConsulting and Network/Security SpecialistCommented:
We used 876 routers for a 400-shop rollout ... no VPN though, just DSL MPLS backbone ... managed to easily configure 40+ routers per day for sending out using home-brew configuration script that did everything from base config through DSL test and local registration in a asset db ... my personal best was 5min per router from opening the box to closing it back up for labeling ;)
BibecuAuthor Commented:
Thanks Garry for your input. Managed to configure the first one in about 30 min and from there was down to 10 min each

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.