Cisco 881 to ASA 5510  Site-to-Site VPN - How to ?

Posted on 2011-09-29
Last Modified: 2012-05-12
Hello to all Cisco experts

I have few questions regarding VPN tunnels between Cisco 881 and ASA 5510

I am supposed to built few of them with 881 at the branches ends and 5510 at my central location.

The questions I have are mostly in regards with 881 at the branch ends. I got these routers directly from Cisco for a project pilot we are running with them for one of our important customer.  Beside the console port the following ports are available on the back panel

A FastEthernet switch  with 4 ports  (FE0 to FE3)
One FEWAN  port marked as FEWAN  (FE04 in configuration file)
A virtual LAN VLAN1 which of course does not have a physical port, so my assumption is that the switch ports   FE0 to FE3 are part of this VLAN1

All I need is to create VPN tunnels  between these routers and my ASA 5510.  

Here are my question:

1. It appears that an IP  can be assigned to interfaces VLAN1 and FE04 only. I think the VLAN1 is for internal IP an FastEthernet4 for external IP.  What is the approach here?

       a. Put the DSL modem in bridge mode and assign the external  IP to FEWAN  FE04 and Interal IP to the VLAN1 interface (this IP will act as gateway for internal subnet)
       b.  Put the DSL in bridge mode and configure 881 to act as PPPoE client ?

2. Is there a good document how to set this up ?

Thank you for taking the time to read and (hopefully) reply to my question


Question by:Bibecu
  • 3
  • 3
LVL 17

Accepted Solution

Garry-G earned 500 total points
ID: 36817153
1. You can configure the switch ports to specific VLANs, thereby adding more routed ports ... just do something like "int fa3", "switchport access vlan 2", after that you can use that port for hooking up additional devices or PPP links.
As for the WAN port, for one Î'd recommend getting the 887 (I assume Annex A for the US) to directly connect to the DSL line without a modem, after all it's about the same price as the 881, but you can go without the extra box.
Anyway, after picking the WAN port (as e.g. FE4), set up the PPPoE dialer to connect to the internet. This is pretty straightforward, config samples are available at Cisco ( has several samples)

2. yes. ;) See above. As for the VPN, there's also multiple examples available on the Cisco site, e.g. (using SDM on the Router side)

Author Comment

ID: 36817204
Thank you very much for your prompt answer.  Well, I had no choice in choosing the routers, this is the model Cisco sent to us to use in this demo

I have the ISP provider installing the DSL line tomorrow and then start doing the work on Monday.  I have 14 branches to go to  !

I will keep you posted how it works

LVL 17

Expert Comment

ID: 36817245
For testing, the 881 should be fine ... as for the config, the only difference between it and the 887 is the interface you add the dialer group to ... so if you have everything working with the 881, you just need to configure a couple extra lines for the ATM interface and you're done ...

If the project heads toward implementing, I'd opt for an 880VA series - they're actually cheaper than the current 870 series routers, more or less same price as the non-VA router, but covers both ADSL2+ _AND_ VDSL ...
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.


Author Comment

ID: 36817395
Thanks Garry,

If it works (the Engery Management Software we install for the client)  then Cisco and I will work with the client (big financial institution here up north in Canada) to do a site to site firewall to firewall as a permanent solutions. Their security did not want to get involved at this point, only if the pilot is successful
I guess they have enough headache with the frauds and all sort of attacks
LVL 17

Expert Comment

ID: 36817425
We used 876 routers for a 400-shop rollout ... no VPN though, just DSL MPLS backbone ... managed to easily configure 40+ routers per day for sending out using home-brew configuration script that did everything from base config through DSL test and local registration in a asset db ... my personal best was 5min per router from opening the box to closing it back up for labeling ;)

Author Closing Comment

ID: 36918311
Thanks Garry for your input. Managed to configure the first one in about 30 min and from there was down to 10 min each


Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question