Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5056
Views
12
Helpful
17
Replies

Need Help with Branch Office Scenario -- VPN Tunnel Configuration

Go to solution
muranskycotech
Level 1
Level 1

‎08-26-2011 08:39 AM - edited ‎03-04-2019 01:25 PM

I have a scenario in which I need to have multiple branch offices talking to one another using ASA 5505/5510 firewalls and 881 routers. I have 90% of my configuration setup perfectly, I think, but I don't have much experience with WAN setups, so I'm not sure how to proceed. Here's the scenario:

Home Office

ASA 5505 (upgrading to 5510 in the near future)

(Adding a 2900-Series Router with PRI voice module in the near future)

Single data subnet, but will expand to dual data/voice

... this home office maintains a permanent site-to-site VPN to ...

Remote Office 1

ASA 5505

2800-Series Router with PRI voice modules

Call Manager Server

Triple Subnet setup -- Data (Wired), Data (Wireless), Voice

>>> This VPN connection is established over two enterprise cable connections.

Remote Offices 2-5

ASA 5505

Single data subnet, no changes planned

>>> All of these are site-to-site VPN connected to the home office AND each other, so all of them are able to access each other directly. Has been working great for 3 years.

>>> Enter New Remote Offices...

Remote Offices 6-60

881 Router

Single Subnet

>>> These will establish a site-to-site VPN to the Home Office, because this is where the majority of their data and calls will go. They will also use the Home Office PRI for outbound calls. However, because currently my only Call Manager is at Remote Office 1, they need to be able to access it, and they need to access each other. Of course, the 881 can't establish enough VPN tunnels to accommodate so many offices, so that rules out configuring them the same as my ASA-based sites. I'm trying to avoid having to buy two ASA 5510's and licensing.

For now, my first 881 remote site is doing a VPN to Remote Site 1 for testing with Call Manager. That is working perfectly.

The question is... how do I allow the traffic from the remote sites to come home and back to another remote site in this scenario? I'm not sure what additional NAT/ACL configurations will be necessary. I assume changes will be needed on Home ASA, Remote ASA, and Remote 881's.

I can post any configuration details requested.

Labels:
0 Helpful
17 Replies 17

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to muranskycotech

‎08-28-2011 01:24 AM

i think your action plan is good

once you reach phase 2 start with DMVPN setup to have your Hube routers ready for rolling out the remote/spoke DMVPN sites

have a look at the bellow link which shows you how to have two redundant dual Hub DMVPN

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml#dualhubsingle

also you might consider configuring new NHRP in DMVPN features 

Router(config-if)#ip nhrp shortcut 
Router(config-if)# ip nhrp redirect 
 
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_nhrp.html
 
about the remote sites 2-5 you can keep them as L2L VPN going to the Hubs and make sure you injuct their route into DMVPN routing 
 
 HTH 
 please rate the helpful posts
0 Helpful

Go to solution
muranskycotech
Level 1
Level 1
In response to Marwan ALshawi

‎08-29-2011 01:05 PM

Thanks for your advice. I will move forward with this strategy and begin reading up on it.

I'll go through and mark any appropriate comments as helpful and correct answers.

0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to muranskycotech

‎08-29-2011 02:16 PM

Good luck and thanks for the nice rating too

0 Helpful
Customers Also Viewed These Support Documents