site to site VPN help

tachyon05 · ‎09-16-2011

Hi,

here is the network diagram.

192.168.1.1/24 -- Branch Router ------------ INTERNET ---------------- HQ Router -- 10.11.0.0/16

i want to create a site to site vpn between the branch office but i want traffic to/from the 10.11.250.0/24 to NOT go through the VPN.

here is my plan but i have not tried it yet: does this seem right?

1.

setup the vpn as normal (as if the special condition about 10.11.250.0/24 does not apply).

2.

in the encryption ACL for the VPN, before the permit statements that permits 192.168.1.1/24 to go to 10.11.0.0/16 network, add a line that denies 192.168.1.1/24 to go to 10.11.250.0/24.

3.

in the NO NAT ACL, permit NAT for traffic destined to the 10.11.250.0/24 first, then deny NAT for the 10.11.0.0/16, finally permit NAT for everything else.

alternatively, what about not perform steps 2 and 3 above, but add a router with a lower cost to the 10.11.250.0/24 network?

Ackld2009 · ‎09-17-2011

on your line 2, it is not necessary to add the deny rule as there is an implicit deny anyway. As long traffics from 192.168.1.0/24 is ONLY permitted to 10.11.0.0/16 then all other traffics will be denied.

On your point 3, NO NAT ACL just deny NAT for the 10.11.0.0/16 and permit the rest.

Then your site to site VPN will work fine

tachyon05 · ‎09-19-2011

please note that the class C network 10.11.250.0/24 (which should NOT go through the VPN tunnel) is a part of the class B network 10.11.0.0/16. another words, i would like to tunnel everything to/from the 10.11.0.0/16 network except the class C 10.11.250.0/24.

am i doing this correctly? thanks