- 1st subnet in branch office 220.127.116.11/24 lets say A
- 2nd subnet in main office 192.168.0.0/24 lets say B
- 3rd subnet in partner company 18.104.22.168/24 lets say C
A and B connects via inernal IP-VPN, B and C connects via IPSec (Site-toSite) through GPRS Internet connection.From B I can "see" subnet A and C, and also I want to establish connection from A and C. When I lunch tracert from A to C last hop stops on B gateway which connects with C. When I add NAT rules for subnet A on B gateway, then tracert from A to C goes to Internet after B gateway IP. Can you help to resolve problem between A and C.Thanks...
As you see, there are nothing about between A and C, you adviced to include here traffic between A and C, you mean like that -
access-list 118 permit ip 22.214.171.124 0.0.0.255 126.96.36.199 0.0.0.255 ?
Can you explain how IPSec works when it get packets from different subnet? Let's say how IPSec works when I trying to send packets from A to C, packet with source address 188.8.131.52 and destination address 184.108.40.206? Can IPSec encrypt traffic from different subnet? Though, when we configured Site-to-Site IPSec, we entered 220.127.116.11/24 as Remote Subnet for C on B, and entered 192.168.0.0/24 as remote subnet for B on C. So B and C works without any problem. May be we have to include in IPSec config also 18.104.22.168/24 as remote subnet for A on C? But I have no idea how do it. May be this is wrong oponion. Also, you wrote that - "traffic between A and C won't be nat-ed based", can you explain, how then traffic from A goes to C without nat, through Internet? Config of router 2600 has a simple rules and there are nothing about IPSec, it's just connected to 2811, if it's important, then let me know about it and i'll post config of 2600.
Yes, you need add "access-list 118 permit ip 22.214.171.124 0.0.0.255 126.96.36.199 0.0.0.255" in ACL 118.
All traffic match ACL 118 will go into IPSec tunnel.
You don't need NAT those IPsec traffic since IPSec will add the other IP header with public IP. You can search on Cisco Website to find some document which explain how IPSec works.
Here is how packet from A is forwarded to C via IPSec.
1. At A branch, you need add the entry "permit ip 188.8.131.52 0.0.0.255 184.108.40.206 0.0.0.255" in the ACL which is used by Crypto map. The traffic from A to C will match this ACL entry and be encrypted to send to Main office via IPSec tunnel.
2. Router 2610 will decrypt it and forward it to router 2811. Since this packet will match ACL 118, it will be encrypted and sent to C via IPSec tunnel between Main office and C.
3. At C - Partner office, the packet will be decrypted and forwarded to the destination.
you need add "permit ip 220.127.116.11 0.0.0.255 18.104.22.168 0.0.0.255" in the ACL which is used by crypto map.
You probably need add "permit ip 22.214.171.124 0.0.0.255 126.96.36.199 0.0.0.255" in ACL which is used by cyrpto map on router 2610 as well.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :