Im hoping to get some advice on how to configure the following scenario.
I have 1 HQ with External static IP and internal IP 192.168.1.0
I have 6 Branch Offices all with External Static IP's and internal addresses that range from 192.168.2.0 to 192.168.10.0 obviously some addresses are not used.
I have a site-to-site VPN for each of these branch offices back to the HQ and no VPN to each other.
I would like to be able to use a static route to allow communication between each site going through the HQ for Internal Phone system traffic.
I have tried adding static routes one each of the Branch office routers for example
Branch 1: ip route 192.168.3.254 255.255.255.0 192.168.1.254 (Note**192.168.3.254 Branch 2 Router and 192.168.1.254 HQ Router)
Branch 2: ip route 192.168.2.254 255.255.255.0 192.168.1.254 (Note**192.168.2.254 Branch 1 Router)
However i cannot ping the routers from each end but i can still ping HQ
I would like to have this working without having to create a VPN for each site to each site as that would become rather messy.
If you are trying to allow communication between the branches via HQ, it won't work by just adding static routes.
There are 2 methods to allow communication between branches:
1) configure site-to-site VPN tunnels between each branches --> which is not an option as you already mention you do not want to go down this route.
2) configure hub and spoke site-to-site VPN tunnels, where communication between branches will go via HQ.
If you are trying to configure Option 2, then you would need to configure the following:
Branch 1: on the crypto ACL to HQ, you would need to add: source: branch 1 LAN, destination: branch 2 LAN
Branch 2: on the crypto ACL to HQ, you would need to add: source: branch 2 LAN, destination: branch 1 LAN
- on the crypto ACL to branch 1, you would need to add: source: branch 2 LAN, destination: branch 1 LAN
- On the crypto ACl to branch 2, you would need to add: source: branch 1 LAN, destination: branch 2 LAN
Then on all the branches, you would need to also add the respective NAT exemption.
Hope that helps.