cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
393
Views
0
Helpful
1
Replies

site to site vpn design question

kope
Level 1
Level 1

I am trying to design a solution for three site-to-site tunnels to three different customers via a ASA as the vpn endpoint on my end.  The customers connection are via T1 connections and there will be three 2811 routers in front of the ASA for the T1 connections. My diagram would look like this:

       customer a  ---------                                 -------------- t1 -------------   cisco2811  --------- <lan1> --------

                                                                                                                                                               ______                                                                                                                            

       customer b  ---------            <internet>       -------------- t1 --------------   cisco2811 -----------<lan 2> -------         | ASA   | -----------   inside network

                                                                                                                                                               |______|

       customer c ---------                                   ------------- t1 --------------   cisco2811 -----------<lan 3> -------        

Looks like this could be my options, not sure if this would work, please comment.

-- Can I terminate three different physical links directly to the ASA and create three site to site tunnels with three different endpoint (peer) ip?  Can the ASA support three outside interfaces with same security zone 0?

-- My other options could be putting a switch between the 2811s and the ASA so it could possibly configure a single trunk to the ASA?

I only have two block of public ip addresses for each customer. (one block belongs to the T1 side, other block is the lan side).

Do anyone running into similar situation?

Thanks,

1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

I would recommend terminating all the 3 VPN tunnels to just the 1 outside interface of the ASA for simplicity.

Basically, configure all the 2811 LAN with public ip range in the same subnet as the ASA outside interface, with switch connecting all the 3 routers and ASA outside interface. On the ASA, you would need to configure route for each of the customer's VPN peer IP and LAN subnets to be routed to the corresponding 2811 router LAN interface IP.