asked on
IPsec Branch Offices
We have recently moved most of our company Branch offices to local ISPs from leased lines. The sites have either 2811 or 1941 routers terminating the IPsec connection on the branch end, and our HQ end with ASA 5510s.
The Sites that have been moved to the VPN solutions cannot see or talk to other VPN sites.
ie. Someone in Site A cannot connect to the computers in Site B. but from the HQ side, anyone can see all branch sites. and all branch sites can communicate with the HQ side.
These are site-to-site VPN connections. Does anyone have any thoughts as to how we could make the different branch offices talk to each other.
I know that moving to a DMVPN solution would solve this problem, however that is not a possibility at this time. I'm hoping there is another work around for what we currently have in place.
The Sites that have been moved to the VPN solutions cannot see or talk to other VPN sites.
ie. Someone in Site A cannot connect to the computers in Site B. but from the HQ side, anyone can see all branch sites. and all branch sites can communicate with the HQ side.
These are site-to-site VPN connections. Does anyone have any thoughts as to how we could make the different branch offices talk to each other.
I know that moving to a DMVPN solution would solve this problem, however that is not a possibility at this time. I'm hoping there is another work around for what we currently have in place.
RoutersInternet Protocol SecuritySoftware Firewalls
Last Comment
Sandeep Gupta
akhalighi is right that this can be done on the 5510. My guess would be that you are missing branch sites in your crypto maps, nonat statements, same-security permit, or a combination. It would be helpful to post the config of your HQ and at least 2 branches.
Good example:
http://popravak.wordpress.com/2011/11/02/cisco-asa-spoke-to-spoke-ipsec-vpn/
Good example:
http://popravak.wordpress.com/2011/11/02/cisco-asa-spoke-to-spoke-ipsec-vpn/
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
we have a similar setup and all branches can talk to each other but traffic goes through main branch as the central point .