route traffic

prashantrecon · ‎02-09-2012

Hi All,

we have three sites at mumbai, pune , delhi.

A site to site tunnel is created between mumbai and pune.

and tunnel between mumbai and delhi.

We donot have tunnel between delhi and pune.

Is it possible to route the traffic of delhi from mumbai site to pune site.

The problem is we donot to create site to site between delhi and pune.

andrew.prince · ‎02-09-2012

search the forums as I have answered a question just lie this.

Sent from Cisco Technical Support iPad App

prashantrecon · ‎02-10-2012

Thanks for your help

prashantrecon · ‎02-10-2012

Hi Ajay,

Can u expalin me regarding site to site

Julio Carvajal · ‎02-10-2012

Hello Prashant,

As Andrew said, he answered a question like this!

It is possible, all you need to do is to include into the crypto traffic that communication, also add the same security permit intra interface command.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

prashantrecon · ‎02-10-2012

Hi Jcavaraj,

Just consider the scenario three site a, b, c.

a---10.0.0.0/24 net

b----20.0.0.0/24 net

c-----30.0.0.0/24 net

there is site to site tunnel is created between a to b and a to c. no tunnel between b to c,

Now the requirement is 20 network should access 30 network

Please find the access-list below

on site a

access-list outside_2_crypto extended permit ip 10.0.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0

accss-list outside_2_crypto extended permit ip 10.0.0.0 255.255.255.255.0 30.0.0.0 255.255.255.0

same-security-traffic permit intra-interface

on site b

access-list outside_4_crypto extended permit ip 20.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list outside_4_crypto extended permit ip 20.0.0.0 255.255.255.0 30.0.0.0 255.255.255.0

same-security-traffic permit intra-interface

on site c

access-list outside_3_crypto extended permit ip 30.0.0.0 255.255.255.0 10.0.0.0 255.255..255.0

access-list outside_3_crypto extended permit ip 30.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0

same-security-traffic permit intra-interface.

Is the configuration right ? Please let me know

Julio Carvajal · ‎02-10-2012

Hello Prashant,

Nop. What I meant is the following

On Router A:

Crypto map from Tunnel to B

access-list outside_2_crypto extended permit ip 10.0.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0

access-list outside_2_crypto extended permit ip 20.0.0.0 255.255.255.0 30.0.0.0 255.255.255.0

Same thing for the tunnel of A to C

Site C an B are fine just remove the same-security as you do not need it there.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

prashantrecon · ‎02-10-2012

Thanks a lot,

Appreciate for quick response always, Let u know once done

Julio Carvajal · ‎02-10-2012

Hello Prashant,

My pleasure! Sure just keep me posted

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

prashantrecon · ‎02-13-2012

Hi,

Suppose i want to RDP of SIte A from Site C.

Site A ip is 10.10.10.5

Site C ip is 30.30.30.10

How routing will work in this case ?

Julio Carvajal · ‎02-13-2012

Hello,

As I said before, you will need to match that traffic into the crypto ACL, that is all you need.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

prashantrecon · ‎02-13-2012

Thanks,

If I run show crypto isakmp sa on c for the destination B it will display state as QM_IDLE?

Julio Carvajal · ‎02-14-2012

Hello Prashant,

Can you post the 3 sites config?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC