09-16-2011 10:54 AM
Hi,
here is the network diagram.
192.168.1.1/24 -- Branch Router ------------ INTERNET ---------------- HQ Router -- 10.11.0.0/16
i want to create a site to site vpn between the branch office but i want traffic to/from the 10.11.250.0/24 to NOT go through the VPN.
here is my plan but i have not tried it yet: does this seem right?
1.
setup the vpn as normal (as if the special condition about 10.11.250.0/24 does not apply).
2.
in the encryption ACL for the VPN, before the permit statements that permits 192.168.1.1/24 to go to 10.11.0.0/16 network, add a line that denies 192.168.1.1/24 to go to 10.11.250.0/24.
3.
in the NO NAT ACL, permit NAT for traffic destined to the 10.11.250.0/24 first, then deny NAT for the 10.11.0.0/16, finally permit NAT for everything else.
alternatively, what about not perform steps 2 and 3 above, but add a router with a lower cost to the 10.11.250.0/24 network?
09-17-2011 12:04 AM
on your line 2, it is not necessary to add the deny rule as there is an implicit deny anyway. As long traffics from 192.168.1.0/24 is ONLY permitted to 10.11.0.0/16 then all other traffics will be denied.
On your point 3, NO NAT ACL just deny NAT for the 10.11.0.0/16 and permit the rest.
Then your site to site VPN will work fine
09-19-2011 08:35 AM
please note that the class C network 10.11.250.0/24 (which should NOT go through the VPN tunnel) is a part of the class B network 10.11.0.0/16. another words, i would like to tunnel everything to/from the 10.11.0.0/16 network except the class C 10.11.250.0/24.
am i doing this correctly? thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide