I am looking for possible design solution to propose to a customer. He has a HQ and 10 remote offices/business partners. The remotes need to be connected to HQ and other remotes with VPN tunnels (IPSEC 3dES). The way we want to implement this is :
1) All the remotes will have one and only one Tunnel to the HQ router. IF they want to talk to the other remote it has to go through the HQ router. I know the Altiga boxes support the "router on a stick" topology but am not sure how to do it.
2) Since there are business partners involved in the design; there is no control on the IP addressing on their private network. It could be possible that a remote office and a business partner might be having the same private IP address range. How does one make the VPN configs on CISCO routers / Altiga immune to this ?
Your 'router on a stick' method will work OK for the site to site config, although to get around the duplicate IP LANS you would probably have to implement a router running NAT before the traffic gets to the VPN device.
Joel is correct. As I see it, you will have to implement NAT/DHCP at each site that is using private IP space in their LAN environment.
Question for you? Why are they using an internet VPN? With the star topology, it might be more cost effective and easier to implement/manage if it were a Frame Relay environment. Depending on where the sites are, maybe even a private line environment.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :