Showing results for 
Search instead for 
Did you mean: 

Can dynamic VPN clients communicate with other dynamic clients

Level 1
Level 1

                   We currently have an ASA 5520 communicating with 10 ASA 5510's, all on static outside addresses.  I was asked to add 5 additional 5510's on dynamic address.  All worked well in testing until it was decided that some of the dynamic clients needed to talk to each other.

                    First question, is this even possible & if so, could someone direct me to an example or other resource?  My testing shows packets just dying in the 5520.

1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

Yes, that is possible, but with one exception being both dynamic end needs to establish the tunnel to the 5520 first, as they can't talk directly to each other, and it will be a hub and spoke scenario where all traffic passes through the HUB between the dynamic peers.

Here is the configuration which is required:

on ASA 5520:

same-security-traffic permit intra-interface

on ASA5510 - dynamic peer 1:

access-list permit ip

NAT exemption will need to be configured as well between peer1-lan-subnet to peer2-lan-subnet

on ASA5510 - dynamic peer 2:


NAT exemption will need to be configured as well between peer2-lan-subnet to peer1-lan-subnet

Then clear the tunnel on all ends so the new crypto ACL can be negotiated.