cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3181
Views
0
Helpful
1
Replies

VPN with two devices, same Encryption Domain behind two endpoints?

DotTest37
Level 1
Level 1

I got a VPN request form from one of our partners.

On my side I have one ASA 5520 running 8.0(3)

On their form, It says that their endpoints are two boxes, sitting on different cities

It also says that there is only one encryption domain, (actually just one IP) that I need to speficy on the VPN setting.

It looks like they mean that you could access the same encryption domain from any of the two Boxes in different cities.

This is strange to me, since every time I have set up VPN before, each endpoint has their own encryption domains.

I never seen two enpoints with the same encryption domain behind, so Im confused wether it might be a mistake on their part, or this is expected.

Have you seen something like that?

How will my ASA know which endpoint to use when directing traffic to their encryption domain?

Thanks guys

Sven

1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Sven,

This is not that uncommon.

Quite typically the remote end would be connected on the backend via a separate cicuit, so it should not matter where you connect - dynamic routing will typically take care of anything else.

What you can do on ASA is to use BOTH the IPs on their side in one crypto map entry. This will cause ASA to use first IP and fallback to second if the first one fails.

M.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: