2 VPN tunnels on 1 cisco router interconnect (proxy VPN)
I am trying to interconnect 2 site-to-site ipsec vpn tunnels on 1 router. I can reach both networks from the testing PC. But I cant imagine how to connect local lans from the 2 vpn tunnels together. On locations there are low-end routers, in which you cannot set acls.
ip access-list extended LOCAL deny ip 172.30.0.0 0.0.255.255 192.168.100.0 0.0.0.255 deny ip 172.30.0.0 0.0.0.255 172.30.1.0 0.0.0.255 deny ip 172.30.0.0 0.0.0.255 172.30.2.0 0.0.0.255 permit ip 172.30.0.0 0.0.255.255 any ! l access-list 111 permit ip 172.30.0.0 0.0.255.255 192.168.100.0 0.0.0.255 access-list 111 permit ip 172.30.2.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 175 permit ip 172.30.0.0 0.0.0.255 172.30.2.0 0.0.0.255 access-list 175 permit ip 192.168.100.0 0.0.0.255 172.30.2.0 0.0.0.255
access-list 180 permit ip 172.30.0.0 0.0.0.255 172.30.1.0 0.0.0.255 access-list 180 permit ip 172.30.2.0 0.0.0.255 172.30.1.0 0.0.0.255
on central: there is permit 192.168.100.0 0.0.0.255 172.30.0.0 0.0.255.255
but the problem is on location1 - this is low end router without ACLS. in GUI i can set only 1 local subnet/netmask and 1 remote local subnet/netmask
there can be static routing configured on the dlink.
It might be possible to use the supernet 172.30.0.0/16 in your ACL's. Normally I would prefer not to do that, because
in the Cisco 1841 it creates overlap that could lead to unexpected behaviour
the DLink might not accept that the local subnet (172.30.x.0/24) is part of the remote subnet (172.30.0.0/16)
And even if this approach does not create problems, and actually solves your problem; another problem is that the central site that hosts your server is not within the 172.30.0.0/16 range; you should re-number this site.
The ACL 175 and 180 would like like this :
access-list 175 permit ip 172.30.0.0 0.0.255.255 172.30.2.0 0.0.0.255
access-list 180 permit ip 172.30.0.0 0.0.255.255 172.30.1.0 0.0.0.255
When you have altered the above two ACL's, there should be communication between those two 'remote location' sites. Your next step is to get connectivity to the central site.
Not a perfect solution at all; but I think it is your only chance to get it working if the remote routers only support one 'remote subnet' on the VPN-configuration.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...