I have a fail over VPN Site to Site VPN solution that I inherited when hired a couple months ago. I understand the interesting traffic Permit ACL but there is also a extremly large deny ACL. I am trying to follow the packet so I can explain the entire process to management. I am going to replace this solution using the DMVPN solution hopefully. Our current solution is not scalable as we add more spokes ...the ACLs get to big. Here is a sample of our VPN solution. Again I am just trying to follow the packet and understand how the DENY ACL works...we have a VOIP solution in place as well so each spoke will need to talk to each spoke for voice,,,10 sites will not be failed over but 1 may and it needs to continue to communicate.
Thanks for the quick response. The solution does work and works well but is not scalable. Believe me we want to summarize but the issue is we have 20 remote sites/(subnets) and lets say site 1 fails over to VPN connection solution and sites 2-20 are still connected normally to WAN then from what I see is the deny ACL on the Headend keeps non nat traffic away...IE the sites still connected to normal WAN connection. I am in the process of getting this in a lab but I think VPN/GRE and IPSEC vai DMVPN is a much better solution. But I must be able to explain the OLD current solution and why I want to migrate to the DNVPN solution.
I would proably use a dynamic routing protocol, in GRE tunnels over the VPN connections. This way you can control the traffic from remote site to remote site via the hub central site - using either an acl or distibute lists.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...