That was the general idea Jon. To give a little more info, I have 2 sets of dispersed sites in remote locations (20 sites in each country), and only 1 in each with very good connectivity. All sites must be able to talk to each other and I don't really want to have 39 L2L VPNs on each device. There is already a VPN network in place but it's a bit messy.
So the thought was to have a hub site in each location with a route to all other remote networks on each remote device via it's local hub. This would result in traffic being returned by a different route but would have the benefit of going via it's local site with very good connectivity.
The subnets are not split well so I would need 20 static routes or match statements on each device if I put a VPN to both hubs for traffic to be returned by the same route. There'd be a tunnel to each hub for redundancy of critical systems, but I wanted to avoid all the statics or acl entries.
Any thoughts appreciated. Thanks again.
Edit: Btw Jon, I had to reply here and view your reply in page source because the site doesnt seem to agree with IE8 anymore... (I can't read anyone's reply with the Hall of Fame badge)
Firstly i'm having an issue displaying posts as well. If you go to Account -> Preferences and select Threaded view as opposed to Flat view this may help.
As for your setup, something keeps nagging me that it wont work but like Collin and PK i can't see a reason why it wouldn't. If the traffic could return by different tunnels though i think you would get caught out by the anti-replay feature of IPSEC because each tunnel would be keeping it's own sequence numbers. But if the traffic always comes via the same tunnel even if that is not the one that traffic went out on it may well work.
Thanks for the tip, doesn't seem to help much unfortunately. This morning I can't see any threads in the firewalling forum when using IE. Other browsers dont seem to have the problem at all.
Upon further investigation, it seems that the inter-site latency is not much different whether the traffic goes via the local or remote hub for any site. May I ask very briefly what your recommendation would be for the design of this network? I know you don't have all the details, but the bandwidth and hardware in place at the hub sites in sufficient for handling all of the internal traffic. The rest of the sites are mostly DSL, with a few T1s and 10Mb fibre circuits dotted around the place. There's an ASA 5510 or 20 at every site and the client don't want to purchase any more hardware..
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...