cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
872
Views
0
Helpful
3
Replies

SA520w routing through site-to-site VPN tunnels

brierleyIT
Level 1
Level 1

I have multiple offices that will be connected using site-to-site VPN tunnels and all will be using the SA520W (firmware 2.1.18) . I currently have 3 routers in place, Router A has tunnels established to Router B and Router C. I need some assistance with the configuration to allow hosts from Router site B get to Router site C. I have attempted adding a static route but get a destination host unreachable when trying to ping. Also, If I connect to Router site A through the Cisco VPN client, I am not able to get to resources at either site B or C.

Site A - 10.10.0.0/24

Site B - 10.0.0.0/24

Site C - 10.25.0.0/24

Any help is greatly appreciated.

1 Accepted Solution

Accepted Solutions

Alejandro Gallego
Cisco Employee
Cisco Employee

So this is what you have configured correct?

                                   RTR_A

                                       ||

               _____________ || ___________

               ||                                            ||

            RTR_B                                RTR_C

Since there is no tunnel between C and B there is no way for us pass that traffic accross RTR_A for a couple of reasons. The most important reason is that subnet 10.25.0.0/24 (rtr_c) is not authorized to go accross the IPSec tunnel (this is IPSec correct?) of rtr_a ==> rtr_b. You can't just add a route statement because your addresses are not routeable which is the reason it fails.

Your only option is to create an other tunnel between rtr_b and rtr_c. This may not be the ONLY option but should get you what you need.

hope this helps.

View solution in original post

3 Replies 3

Alejandro Gallego
Cisco Employee
Cisco Employee

So this is what you have configured correct?

                                   RTR_A

                                       ||

               _____________ || ___________

               ||                                            ||

            RTR_B                                RTR_C

Since there is no tunnel between C and B there is no way for us pass that traffic accross RTR_A for a couple of reasons. The most important reason is that subnet 10.25.0.0/24 (rtr_c) is not authorized to go accross the IPSec tunnel (this is IPSec correct?) of rtr_a ==> rtr_b. You can't just add a route statement because your addresses are not routeable which is the reason it fails.

Your only option is to create an other tunnel between rtr_b and rtr_c. This may not be the ONLY option but should get you what you need.

hope this helps.

What you have illustrated is correct. I will establish the other tunnel connections to get what I need for now. As far as the Cisco VPN client connection is concerned, I would like to be able to connect thru Router A and be able to get to both the B and C networks, can this still be accomplished?

Once all sites are interconnected I THINK you should be able to configure the SSL VPN to route to the other networks. It has been a while since I played with the SA520 so I don't remember what some of the caveats were in the SSL configuration. I know we can route to internal subnets, but after that... you will need to speak with support.

Now another option, is using a VPN client like IPSecuritas (Mac) or Shrew (PC) where you could connect to all three sites and abviously route accordingly. This would be an IPSec connection and will take a little more configuration and planning, but if you only have a handful of remote users then it would be worth looking into.

-Good Luck