cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Static Route over Mutliple Site-to-Site VPN's

hartross22
Beginner
Beginner

Hi all

Im hoping to get some advice on how to configure the following scenario.

I have 1 HQ with External static IP and internal IP 192.168.1.0

I have 6 Branch Offices all with External Static IP's and internal addresses that range from 192.168.2.0 to 192.168.10.0 obviously some addresses are not used.

I have a site-to-site VPN for each of these branch offices back to the HQ and no VPN to each other.

I would like to be able to use a static route to allow communication between each site going through the HQ for Internal Phone system traffic.

I have tried adding static routes one each of the Branch office routers for example

Branch 1: ip route 192.168.3.254 255.255.255.0 192.168.1.254 (Note**192.168.3.254 Branch 2 Router and 192.168.1.254 HQ Router)

Branch 2: ip route 192.168.2.254 255.255.255.0 192.168.1.254 (Note**192.168.2.254 Branch 1 Router)

However i cannot ping the routers from each end but i can still ping HQ

I would like to have this working without having to create a VPN for each site to each site as that would become rather messy.

Thanks

1 REPLY 1

Jennifer Halim
Cisco Employee
Cisco Employee

If you are trying to allow communication between the branches via HQ, it won't work by just adding static routes.

There are 2 methods to allow communication between branches:

1) configure site-to-site VPN tunnels between each branches --> which is not an option as you already mention you do not want to go down this route.

2) configure hub and spoke site-to-site VPN tunnels, where communication between branches will go via HQ.

If you are trying to configure Option 2, then you would need to configure the following:

Branch 1: on the crypto ACL to HQ, you would need to add: source: branch 1 LAN, destination: branch 2 LAN

Branch 2: on the crypto ACL to HQ, you would need to add: source: branch 2 LAN, destination: branch 1 LAN

HQ:

- on the crypto ACL to branch 1, you would need to add: source: branch 2 LAN, destination: branch 1 LAN

- On the crypto ACl to branch 2, you would need to add: source: branch 1 LAN, destination: branch 2 LAN

Then on all the branches, you would need to also add the respective NAT exemption.

Hope that helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: