cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2313
Views
0
Helpful
3
Replies
Beginner

Static routes through site-to-site tunnel

Hello,

I am using a Cisco ASA 5505

Here is a description of my topology.

Headquarters = 192.168.201.0

Client X = 172.16.0.0

Datacenter = 10.12.0.0

Site to Site Tunnels:

Headquarters ---> Datacenter

Datacenter ---> Client X

I want to ability for computers in the Headquarters subnet to access the Client X subnet.

I have tried setting up a static route to push all traffic destin for 172.16.0.0 to the datacenter, but was unsuccessful.

Does someone know a solution of how I can route all 172.16.0.0 through the tunnel.

I have tried ading a static route on my ASA but without success.

route.jpg

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Static routes through site-to-site tunnel

YOu can't just route the traffic from HQ through to client site.

You would need to include the HQ and Client subnet in the crypto ACL between the datacenter and client, as well as between the HQ and datacenter.

You would also need to configure NAT exemption on the client side.

IPSec tunnel typically is configured with specific subnet hence you would need to include the additional subnet to be able to route from HQ to client and vice versa.

Highlighted
Beginner

Static routes through site-to-site tunnel

Hi,

Assuming datacentre has two tunnels, one to Headquarter and one to Client, here is what needs to be configured for ACls.

Tunnel between HQ and Datacentre:

HQ Location

local - 192.168.201.0

remote - 10.12.200.0, 172.16.0.0

Datacenter:

local - 10.12.200.0, 172.16.0.0

remote - 192.168.201.0

Tunnel between Client and Datacentre:

Client

local - 172.16.0.0

remote - 10.12.200.0, 192.168.201.0

Datacenter:

local - 10.12.200.0, 192.168.201.0

remote -  172.16.0.0

Also proper translations will be required at all locations for traffic to pass.

3 REPLIES 3
Cisco Employee

Static routes through site-to-site tunnel

YOu can't just route the traffic from HQ through to client site.

You would need to include the HQ and Client subnet in the crypto ACL between the datacenter and client, as well as between the HQ and datacenter.

You would also need to configure NAT exemption on the client side.

IPSec tunnel typically is configured with specific subnet hence you would need to include the additional subnet to be able to route from HQ to client and vice versa.

Beginner

Static routes through site-to-site tunnel

Hi Jennifer, thanks for the reply,

So is there a possibility if I add the 172.16.0.0 subnet to the tunnel on each end?

Right now the HQ tunnel to Datacenter has local of 192.168.201.0/24 and remote of 10.12.200.0/24

I would need to add the remote of 172.16.0.0/16 to the tunnel?

Also I would need to add the 192.168.201.0 to the datacenter --> client tunnel?

So here is the example of the tunnel networks:

HQ Location

local - 192.168.201.0

remote - 10.12.200.0, 172.16.0.0

Datacenter:

local - 10.12.200.0, 172.16.0.0

remote - 192.168.201.0

Client:

local - 172.16.0.0

remote - 10.12.200.0, 192.168.201.0

Think the above would work?

Highlighted
Beginner

Static routes through site-to-site tunnel

Hi,

Assuming datacentre has two tunnels, one to Headquarter and one to Client, here is what needs to be configured for ACls.

Tunnel between HQ and Datacentre:

HQ Location

local - 192.168.201.0

remote - 10.12.200.0, 172.16.0.0

Datacenter:

local - 10.12.200.0, 172.16.0.0

remote - 192.168.201.0

Tunnel between Client and Datacentre:

Client

local - 172.16.0.0

remote - 10.12.200.0, 192.168.201.0

Datacenter:

local - 10.12.200.0, 192.168.201.0

remote -  172.16.0.0

Also proper translations will be required at all locations for traffic to pass.