Solved

Cisco 881 to ASA 5510  Site-to-Site VPN - How to ?

Posted on 2011-09-29
6
1,959 Views
Last Modified: 2012-05-12
Hello to all Cisco experts

I have few questions regarding VPN tunnels between Cisco 881 and ASA 5510

I am supposed to built few of them with 881 at the branches ends and 5510 at my central location.

The questions I have are mostly in regards with 881 at the branch ends. I got these routers directly from Cisco for a project pilot we are running with them for one of our important customer.  Beside the console port the following ports are available on the back panel

A FastEthernet switch  with 4 ports  (FE0 to FE3)
One FEWAN  port marked as FEWAN  (FE04 in configuration file)
A virtual LAN VLAN1 which of course does not have a physical port, so my assumption is that the switch ports   FE0 to FE3 are part of this VLAN1

All I need is to create VPN tunnels  between these routers and my ASA 5510.  

Here are my question:

1. It appears that an IP  can be assigned to interfaces VLAN1 and FE04 only. I think the VLAN1 is for internal IP an FastEthernet4 for external IP.  What is the approach here?

       a. Put the DSL modem in bridge mode and assign the external  IP to FEWAN  FE04 and Interal IP to the VLAN1 interface (this IP will act as gateway for internal subnet)
       b.  Put the DSL in bridge mode and configure 881 to act as PPPoE client ?

2. Is there a good document how to set this up ?

Thank you for taking the time to read and (hopefully) reply to my question

Cheers

0
Comment
Question by:Bibecu
  • 3
  • 3
6 Comments
 
LVL 17

Accepted Solution

by:
Garry-G earned 500 total points
Comment Utility
1. You can configure the switch ports to specific VLANs, thereby adding more routed ports ... just do something like "int fa3", "switchport access vlan 2", after that you can use that port for hooking up additional devices or PPP links.
As for the WAN port, for one Î'd recommend getting the 887 (I assume Annex A for the US) to directly connect to the DSL line without a modem, after all it's about the same price as the 881, but you can go without the extra box.
Anyway, after picking the WAN port (as e.g. FE4), set up the PPPoE dialer to connect to the internet. This is pretty straightforward, config samples are available at Cisco (http://www.cisco.com/en/US/tech/tk175/tk819/tech_configuration_examples_list.html has several samples)

2. yes. ;) See above. As for the VPN, there's also multiple examples available on the Cisco site, e.g. http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml (using SDM on the Router side)
0
 

Author Comment

by:Bibecu
Comment Utility
Thank you very much for your prompt answer.  Well, I had no choice in choosing the routers, this is the model Cisco sent to us to use in this demo

I have the ISP provider installing the DSL line tomorrow and then start doing the work on Monday.  I have 14 branches to go to  !

I will keep you posted how it works

Cheers
0
 
LVL 17

Expert Comment

by:Garry-G
Comment Utility
For testing, the 881 should be fine ... as for the config, the only difference between it and the 887 is the interface you add the dialer group to ... so if you have everything working with the 881, you just need to configure a couple extra lines for the ATM interface and you're done ...

If the project heads toward implementing, I'd opt for an 880VA series - they're actually cheaper than the current 870 series routers, more or less same price as the non-VA router, but covers both ADSL2+ _AND_ VDSL ...
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:Bibecu
Comment Utility
Thanks Garry,

If it works (the Engery Management Software we install for the client)  then Cisco and I will work with the client (big financial institution here up north in Canada) to do a site to site firewall to firewall as a permanent solutions. Their security did not want to get involved at this point, only if the pilot is successful
I guess they have enough headache with the frauds and all sort of attacks
0
 
LVL 17

Expert Comment

by:Garry-G
Comment Utility
We used 876 routers for a 400-shop rollout ... no VPN though, just DSL MPLS backbone ... managed to easily configure 40+ routers per day for sending out using home-brew configuration script that did everything from base config through DSL test and local registration in a asset db ... my personal best was 5min per router from opening the box to closing it back up for labeling ;)
0
 

Author Closing Comment

by:Bibecu
Comment Utility
Thanks Garry for your input. Managed to configure the first one in about 30 min and from there was down to 10 min each

Cheers
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now