Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1379
Views
0
Helpful
1
Replies

Static Route over Mutliple Site-to-Site VPN's

hartross22
Level 1
Level 1

‎03-27-2013 09:01 PM

Hi all

Im hoping to get some advice on how to configure the following scenario.

I have 1 HQ with External static IP and internal IP 192.168.1.0

I have 6 Branch Offices all with External Static IP's and internal addresses that range from 192.168.2.0 to 192.168.10.0 obviously some addresses are not used.

I have a site-to-site VPN for each of these branch offices back to the HQ and no VPN to each other.

I would like to be able to use a static route to allow communication between each site going through the HQ for Internal Phone system traffic.

I have tried adding static routes one each of the Branch office routers for example

Branch 1: ip route 192.168.3.254 255.255.255.0 192.168.1.254 (Note**192.168.3.254 Branch 2 Router and 192.168.1.254 HQ Router)

Branch 2: ip route 192.168.2.254 255.255.255.0 192.168.1.254 (Note**192.168.2.254 Branch 1 Router)

However i cannot ping the routers from each end but i can still ping HQ

I would like to have this working without having to create a VPN for each site to each site as that would become rather messy.

Thanks

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎03-27-2013 11:53 PM

If you are trying to allow communication between the branches via HQ, it won't work by just adding static routes.

There are 2 methods to allow communication between branches:

1) configure site-to-site VPN tunnels between each branches --> which is not an option as you already mention you do not want to go down this route.

2) configure hub and spoke site-to-site VPN tunnels, where communication between branches will go via HQ.

If you are trying to configure Option 2, then you would need to configure the following:

Branch 1: on the crypto ACL to HQ, you would need to add: source: branch 1 LAN, destination: branch 2 LAN

Branch 2: on the crypto ACL to HQ, you would need to add: source: branch 2 LAN, destination: branch 1 LAN

HQ:

- on the crypto ACL to branch 1, you would need to add: source: branch 2 LAN, destination: branch 1 LAN

- On the crypto ACl to branch 2, you would need to add: source: branch 1 LAN, destination: branch 2 LAN

Then on all the branches, you would need to also add the respective NAT exemption.

Hope that helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents