I have just configured an IPSEC VPN between our head office and one of our remote offices. The main purpose of this VPN is to route ALL traffic from the remote office via our head office and then on to the internet. This way we can control all traffic originating from the remote office from our firewall in the main office. However, this is only a temporary solution and we will eventually be installing a separate firewall in the remote office.
The problem I’m facing is that I cannot seem to find any information related to our setup. From what I understand IPSEC is mainly used to connect two offices, not used to route all traffic over it. The second problem I’m facing is that at the moment my two offices are using different subnets. At the remote office I have one subnet of 10.166.73.0/27 and at my main office I use 192.168.0.0/24. I was hoping to be able to use the same subnet at the remote office as I do in my main office. The reason I want to do this is because I have a “Captive portal” located at my main office. This “Captive portal” will only work in NAT-mode so I would like to use my router at the main office as a DHCP server for both offices.
At the moment my access-lists looks like this; Main office:permit ip 192.168.0.0 0.0.0.255 10.166.73.0 0.0.0.31
Remote office: permit ip 10.166.73.0 0.0.0.31 192.168.0.0 0.0.0.255
I was hoping to change the access-list on the remote office router to;
permit ip 10.166.73.0 0.0.0.31 0.0.0.0 0.0.0.0
in order to force all traffic over the VPN. Will this work or do I need to match that access-list on router in the main office?
However it doesn't really solve my issues. I suspected that I would have to change my access-lists on both sides and that's fine but how do I specify that traffic originating from 192.168.0.0/24 destined for the "internet" does not go towards 10.166.73.0/27?
Can I use static routes in my main office to tell the router where the packets coming from the VPN should go?
Traffic towards the internet from 192.168.0.0/24 will not be affected because the crypto ACL is only going towards the 10.166.73.0/27 subnet. The 192.168.0.0/24 will be included in the "any" in your crypto ACL. So traffic from 192.168.0.0/24 towards 10.166.73.0/27 will be encrypted, and towards the Internet will go out as per normal routing.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...