05-07-2010 12:26 PM
I am trying to design a solution for three site-to-site tunnels to three different customers via a ASA as the vpn endpoint on my end. The customers connection are via T1 connections and there will be three 2811 routers in front of the ASA for the T1 connections. My diagram would look like this:
customer a --------- -------------- t1 ------------- cisco2811 --------- <lan1> --------
______
customer b --------- <internet> -------------- t1 -------------- cisco2811 -----------<lan 2> ------- | ASA | ----------- inside network
|______|
customer c --------- ------------- t1 -------------- cisco2811 -----------<lan 3> -------
Looks like this could be my options, not sure if this would work, please comment.
-- Can I terminate three different physical links directly to the ASA and create three site to site tunnels with three different endpoint (peer) ip? Can the ASA support three outside interfaces with same security zone 0?
-- My other options could be putting a switch between the 2811s and the ASA so it could possibly configure a single trunk to the ASA?
I only have two block of public ip addresses for each customer. (one block belongs to the T1 side, other block is the lan side).
Do anyone running into similar situation?
Thanks,
05-08-2010 01:38 AM
I would recommend terminating all the 3 VPN tunnels to just the 1 outside interface of the ASA for simplicity.
Basically, configure all the 2811 LAN with public ip range in the same subnet as the ASA outside interface, with switch connecting all the 3 routers and ASA outside interface. On the ASA, you would need to configure route for each of the customer's VPN peer IP and LAN subnets to be routed to the corresponding 2811 router LAN interface IP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide