We use a site-to-site vpn from A (DMZ, 10.10.10.0/24) to B (172.20.20.0/24) and it works fine. Now a SAP-Server (B) have to send the printjobs to Printserver (10.20.20.1) behind network A. So I have configured:
For the 172.20.20.x to access a network 10.20.20.x which is behind the network 10.10.10.x all you need is to make sure there is an encryption ACL for the traffic to be encrypted and pass through the tunnel.
In your encryption ACL for the tunnel from A to B, you would add an ACL entry :
access-list permit ip 10.20.20.0 255.255.255.0 172.20.20.0 255.255.255.0
Make sure the B side is configured as a mirror image of the ACL above.
Hope this helps, if not post your config and I Will take a look at it.
Indead I havent an encryption ACL for the traffic to network 10.20.20.x
In network 172.20.20.x I cant route 10.20.20.x through the tunnel because there is another network with 10.20.20.x behind 172.20.20.x
I dont understand why I have to configure an encrytion ACL for network 10.20.20.x because I want to hide this network (or one ip-address) behind an adrress from network 10.10.10.x. Therfor I configured the static and conduit command. Is this false?
So the device on your Network A is a PIX with VLAN interfaces?
Can you send me the output of the following from the PIX, please.
a . sh ip (Make sure the outside address is marked as x.x.x.x when you paste in the post).
b. sh cry map
c. sh run | in nat
Helmut, if you have only one device on the network A which is a PIX and you have segmented the interfaces via VLAN, then my guess is you havent dont the part of adding the 10.20.20.x network for your encryption ACL.
If you do a static NAT on the PIX for your DMZ to inside, it is just going to translate for the networks on the inside to access the DMZ not from the network B.
Let me see the outputs and give you the suggestion to do it the right way.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :