troubleshooting Question

VPN hub and spoke question

Avatar of bfpnaeechange
bfpnaeechange asked on
VPNNetworking Hardware-OtherNetwork Security
1 Comment1 Solution680 ViewsLast Modified:
I need two branch routers to be able to pass traffic to each other without a dedicated vpn tunnel between the two branches.


HQ LAN is 172.16.x.x and 172.17.x.x

Branch Routers use 192.168.x.x


***PIX***



access-list nonat permit ip 172.16.0.0 255.255.0.0 192.168.48.0 255.255.255.0
access-list nonat permit ip 172.17.0.0 255.255.0.0 192.168.48.0 255.255.255.0

access-list mtl01rt01ec permit ip 172.16.0.0 255.255.0.0 192.168.48.0 255.255.255.0
access-list mtl01rt01ec permit ip 172.17.0.0 255.255.0.0 192.168.48.0 255.255.255.0

route outside 192.168.48.0 255.255.255.0 "Internet Router"


**************************************************************************

***Spoke router 1***



crypto map nolan 18 ipsec-isakmp
 set peer "HUB PIX"
 set transform-set sharks
 match address 121


access-list 110 deny   ip 192.168.48.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 110 deny   ip 192.168.48.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 110 permit ip 192.168.48.0 0.0.0.255 any
access-list 121 permit ip 192.168.48.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 121 permit ip 192.168.48.0 0.0.0.255 172.17.0.0 0.0.255.255
!
route-map nonat permit 10
 match ip address 110


ip nat inside source route-map nonat interface Ethernet0 overload
**************************************************************************

***Spoke router 2***


crypto map nolan 18 ipsec-isakmp
 set peer "HUB PIX"
 set transform-set sharks
 match address 121


access-list 110 deny   ip 192.168.49.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 110 deny   ip 192.168.49.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 110 permit ip 192.168.49.0 0.0.0.255 any
access-list 121 permit ip 192.168.49.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 121 permit ip 192.168.49.0 0.0.0.255 172.17.0.0 0.0.255.255
!
route-map nonat permit 10
 match ip address 110


ip nat inside source route-map nonat interface Ethernet0 overload
ASKER CERTIFIED SOLUTION
John Meggers
Network Architect

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 1 Comment.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 1 Comment.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros