Thanks for reply, of course, I attached diagram and part of config below

You don't need change the NAT. The traffic between A and C won't be nat-ed based on your configuration on this router.

I don't see how you define ACL 118.

Does it include the traffic between A and C?

If not, you need add it on this router and the remote end at A & C as well.

I did not see the config of the 2600 router. can u post it as well.

Hi Kevin,

     Yes, I missed to copy 118 ACL, here it's:

access-list 118 remark ATM
access-list 118 remark SDM_ACL Category=4
access-list 118 remark IPSec Rule
access-list 118 permit ip 192.168.0.0 0.0.0.255 192.171.5.0 0.0.0.255

As you see, there are nothing about between A and C, you adviced to include here traffic between A and C, you mean like that -

access-list 118 permit ip 192.1.1.0 0.0.0.255 192.171.5.0 0.0.0.255 ?

Can you explain how IPSec works when it get packets from different subnet? Let's say how IPSec works when I trying to send packets from A to C, packet with source address 192.1.1.2 and destination address 192.171.5.2? Can IPSec encrypt traffic from different subnet? Though, when we configured Site-to-Site IPSec, we entered 192.171.5.0/24 as Remote Subnet for C on B, and entered 192.168.0.0/24 as remote subnet for B on C. So B and C works without any problem. May be we have to include in IPSec config also 192.1.1.0/24 as remote subnet for A on C? But I have no idea how do it. May be this is wrong oponion. Also, you wrote that - "traffic between A and C won't be nat-ed based", can you explain, how then traffic from A goes to C without nat, through Internet? Config of router 2600 has a simple rules and there are nothing about IPSec, it's just connected to 2811, if it's important, then let me know about it and i'll post config of 2600.

Yes, you need add "access-list 118 permit ip 192.1.1.0 0.0.0.255 192.171.5.0 0.0.0.255" in ACL 118.

All traffic match ACL 118 will go into IPSec tunnel.

You don't need NAT those IPsec traffic since IPSec will add the other IP header with public IP. You can search on Cisco Website to find some document which explain how IPSec works.

Here is how packet from A is forwarded to C via IPSec.

1. At A branch, you need add the entry "permit ip 192.1.1.0 0.0.0.255 192.171.5.0 0.0.0.255" in the ACL which is used by Crypto map. The traffic from A to C will match this ACL entry and be encrypted to send to Main office via IPSec tunnel.

2. Router 2610 will decrypt it and forward it to router 2811. Since this packet will match ACL 118, it will be encrypted and sent to C via IPSec tunnel between Main office and C.

3. At C - Partner office, the packet will be decrypted and forwarded to the destination.

you need add "permit ip  192.171.5.0 0.0.0.255 192.1.1.0 0.0.0.255"  in the ACL which is used by crypto map.

You probably need add "permit ip  192.171.5.0 0.0.0.255 192.1.1.0 0.0.0.255" in ACL which is used by cyrpto map on router 2610 as well.

Kevin, thanks for the reply!

     A and B (2610) connects via Internal private VPN (not IPSec), you can see it in diagram. And the traffic between A and B did not encrypted. After adding rule in 118:

access-list 118 remark ATM
access-list 118 remark SDM_ACL Category=4
access-list 118 remark IPSec Rule
access-list 118 permit ip 192.168.0.0 0.0.0.255 192.171.5.0 0.0.0.255
access-list 118 remark IPSec Rule
access-list 118 permit ip 192.1.1.0 0.0.0.255 192.171.5.0 0.0.0.255

tracert from A to C shows the packets goes till 192.168.0.1 (B IPSec gatewey), here is trace log:

Did you add "permit ip  192.171.5.0 0.0.0.255 192.1.1.0 0.0.0.255"  in the ACL which is used by crypto map at the C site?

If not, please add it and rebuild the tunnel.