Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Designing a hub and spoke vpn with 5510(Hub) and sonicwall tz100(spoke)

Currently we have a hub and spoke VPN network with ATT. They cost to much, so we decided to design our own VPN network.

ASA 5510 and multiple TZ100 (Sonicwall)

What I'm wrestling with is trying to understand how ATT is doing it.

We have the beginnigs of our network up. The ASA 5510, and 2 endpoints. ASA5505 and a TZ100.

Att's network consist of a Cisco VPN 3000 and numerious netgates (Sg7100). Those are rebranded snap gear or secure computing endpoints.

I've worked a bit with cisco getting the tunnels configured.

This is what I'm not understanding.

Here's a picture of the vpn network

                                                  /--- Netgate 10.40.45.1/24

CiscoVPN 3000 (192.168.199.2) ----netgate 10.40.46.1/24    (etc for all /24's in 10.0.0.0/8)

                                                  \--netgate 10.40.47.1/24

Also, I'm not sure if ATT set same-security-traffic permit intra-interface or I suspect it's the setting of OSPF and RRI that allows me at 10.40.45.1/24 to go over the VPN tunner to any endpoints on 10.0.0.0/8.

ie.. 10.40.45.1/24 ---VPN Tunnel --- 10.40.58.1/24

My network is not working like ATT has theirs set up.

1st. In configuring my network, cisco had me assign a static route in one of the endpoints (hub) to just reach the 10.40.45.1/24 from the 10.40.46.1/24 network. Moving forward, to reach 10.0.0.0/8 I can only assume I need to add a route fror 10.0.0.0/8 to reach the other enpoints from and other endpoint.

2nd. These ATT endpoints are not very configurable. Granted, ATT probably has it locked down with their firmware, but can't see ATT pre configuring the router with static routes. Their VPN 3000 in my opirion has to be updating the routes in the endpoint.

10.0.0.0/2410.40.49.1 (10.40.49.1)ipsec0localindirect
192.168.199.0/2610.40.49.1 (10.40.49.1)ipsec0local

indirect

3rd, in moving our network, I asked ATT to move 2 /24's and point them to our ASA from the Cisco VPN 3000.

They said that would be a problem cause we have reverse route injection enabled.

I have limited knowledge of RRI. Would this be the setting that causes the endpoints routing table to be updated from the cisco vpn 3000?

Anyone have any suggestions on how to implement what I trying to do?

Basically, I would like to control more of the routing from ASA 5510 if possible.

Thanks in advance.

581
Views
0
Helpful
0
Replies
CreatePlease login to create content