Cisco Support Community
Community Member

Tunnel everything from Site B to Site A

We have a local MAN that is semi public but no access to the Internet. We want to have everything from Site B to go to Site A.

Hall of Fame Super Gold

Re: Tunnel everything from Site B to Site A


If you would tell us a bit more about your environment and your requirements we could probably give better advice. But based on what you have said here I believe that there are several alternatives that you might consider which could possibly accomplish what you want.

Assuming that SiteA and SiteB have IP connectivity over this MAN you might consider one of these:

- a simple default route on SiteB pointing to SiteA as the next hop will send everything from B to A. And a static route on A for the address space at B should take care of the return traffic.

- if you want something more elaborate you might consider configuring a GRE tunnel from SiteB to SiteA. With GRE you reincapsulate all the traffic so on the MAN the real source and destination addresses are not visible and the addresses that are visible are the addresses on B and A that are on the MAN. With GRE you could do static routing but also have the capability of running a dynamic protocol between B and A.

- if you want to provide more security for the traffic between B and A you might consider setting up IPSec tunnel between B and A and sending traffic over the IPSec tunnel. This would carry IP unicast traffic over the MAN in an encrypted form so that it would not be observable to anyone on the MAN.

- if you want the security of IPSec but want to run a routing protocol you could consider running IPSec with GRE tunnels. This way you get the best of both: GRE allows you to run routing protocol and IPSec provides protection to the traffic.



Community Member

Re: Tunnel everything from Site B to Site A

Okay a bit more info what I meant to say was we need to Tunnel everything from Site B to Site A using IPSEC. Site B does not have a connection to the Internet. Site B's outside interface can see the outside interface of Site A. All of the traffic from Site B to Site A needs to be secure. How do I configure the interesting traffic for the IPSEC

tunnel to be mask

Site B's internal network

Site B's and A's external network

Site A's internal network

Site A's network has a Router that connects to the Internet.


Community Member

Re: Tunnel everything from Site B to Site A

Is this command a valid command for Site B's network of

access-list 120 permit ip

Hall of Fame Super Gold

Re: Tunnel everything from Site B to Site A


The additional information that you supplied certainly does clarify what your requirements are. If you need security and protection for traffic from SiteB to SiteA then you do need IPSec.

You have a slight misunderstanding in your access list mask. If you want the equivalent of "any" it is rather than and in coding your access list it would be easier to use the keyword "any".

I do not remember the details right now but I remember some caution I read about using the "any" keyword in access lists for IPSec.

I have done something very close to what you describe at a customer site where we wanted to tunnel everything from remote sites to the central site. We chose to use IPSec with GRE tunnels. Our main purpose was to be able to support routing protocols, but it turns out that it makes the IPSec a bit easier. Assuming that your sites addresses might be at A and at B then you would configure GRE tunnels on both routers using these addresses as source and destination.

interface tunnel 0

ip address

tunnel source

tunnel destination

and then the access list for IPSec becomes very simple:

access-list 101 permit gre host host

and then a static route (or on siteB a default route) points through the GRE tunnel. It works well.



CreatePlease to create content