VPN: Main Office ASA5510 to Remote 2811 w/ dual DSL

Discussion in 'Cisco' started by ngqs2004, Jan 25, 2006.

  1. ngqs2004

    ngqs2004 Guest

    I need some help: options and/or confirmation. I planned this out w/
    Cisco pre-sales consulting, now the Cisco support is saying it can't be
    done as planned. I know enough to understand the situation but not
    enough to do the configurations or know if they really have the problem
    and options correct.

    Main Office has a T1 into a 2621XM, which is in front of an ASA5510.
    The remote office has a 2811 w/ 2 DSL circuits, same provider but on
    separate subnets. I need a VPN between the 2 offices, I either need to
    prioritize voice over data on 1 tunnel OR have separate tunnels for
    voice & data traffic over the separate DSL circuits. I would prefer 1
    tunnel that uses both DSL circuits w/ prioritized voice since it
    provides redundancy if one DSL circuit goes down.

    I am aware of the issues of voice over DSL, let's save that discussion
    for another day.

    Cisco support is saying that you can't have 2 tunnels from the 2811
    terminating on 1 IP on the 5510. My understanding of the problem as
    they described it: the crypto map will overlap / conflict, either the
    2nd tunnel won't come up or it will come up and take down the first
    tunnel; because it will know the the far side IP is the same for both
    tunnels. Does this sound correct? If so this implies that it could be
    done w/ 2 routers at the remote site but not 1?

    Someone else has suggested bonding the 2 DSL circuits together in a
    multi-link or etherchannel, and running the tunnel from the multi-link
    or etherchannel interface to the 5510. Does this sound feasible, can
    you provide an example config/link?

    Cisco support says my options are:

    1. Obtaining from my ISP a 2nd block of IP's on a different subnet to
    allow another WAN interface to be active on the 5510.
    2. Terminating 2 tunnels on the 2621instead of the 5510.

    I'm not a fan of either option and aren't sure that moving the tunnels
    to the 2621 isn't just recreating the problem on another box, creating
    other security/mgmt issues and for the most part making the 5510
    unnecessary.

    Thanks for your help. Pls email for a better diagram in pdf format if
    it will help.

    Ed

    ==========================================
    Main Office:
    --------------------|
    2621XM |-----T1 to Internet
    --------------------|
    |
    |
    --------------------|
    ASA5510 |----DMZ
    --------------------|
    |
    |
    ------------------------------------------------|
    3760 Vlan1 Data & Vlan10 Voice |
    ------------------------------------------------|

    ===========================================
    Remote Office:

    -----------------|--DSL1--to Internet
    2811 |
    -----------------|--DSL2--to Internet
    | |
    | |--VLAN1-Data
    |
    |--VLAN10-Voice
     
    ngqs2004, Jan 25, 2006
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.