Re: How to go all traffic to HQ even internet , it s site to site

takhan · ‎06-20-2019

Hi guys.. I am wonder..

How to go all traffic to HQ even internet , it s site to site

I found some answer.. that say branch do just routing to HQ

another answer says branch do pat about HQ public IP...

I am so confused ...what is correct...

please give me to way ..

thank you

Mohammed al Baqari · ‎06-20-2019

You need a site to site IPSEC VPN between HQ and BR. Then you route all
traffic across the tunnel. Natting,etc will be done at HQ.

takhan · ‎06-20-2019

thank you for reply !

so you mean branch do route

example

route 0.0.0.0 0.0.0.0 HQ public Ip

is it correct ?

Karsten Iwen · ‎06-20-2019

As always, there are multiple ways to implement this. If you want least complexity, then go the following way:

Check how your VPN is implemented. If you still use crypto maps, convert your VPN to VTIs. That makes the config much easier.
When your route-based VPN is established, configure your branch-gateway with a static host-route to the HQ-gateway. Probably you have a default-route to the internet. This default route is removed and reconfigured to point to the tunnel-IP of the HQ-router.
On the HQ internet-gateway, make sure that the NAT/PAT-rules also include the branch-networks.

takhan · ‎06-24-2019

thank you for reply ! i will try it as you advice..