Question on Static Routing vs. VPN Connections
Group, wanted to run a scenario by you and get your input. Here is our setup:
Site 1
Administrative LAN 172.16.8.1
Workstation VLAN 10.0.2.1
Site 2
LAN 192.168.10.0
I need to be able to connect the VLAN of site 1 to the LAN of site 2, currently we have an IPSec tunnel from LAN <--->LAN so the question is how to route the traffic. My question is this:
In Site 1 do I do a static route to force the traffic out?
Do I break the existing connection from LAN to LAN and do the Site 1 VLAN to Site 2 LAN VPN tunnel? Will it let me do a tunnel from a VLAN to a LAN?
Do I create a second tunnel from Site 2 to to both Site 1 LAN and VLAN?
Appreciate your time and input as always experts.
Site 1
Administrative LAN 172.16.8.1
Workstation VLAN 10.0.2.1
Site 2
LAN 192.168.10.0
I need to be able to connect the VLAN of site 1 to the LAN of site 2, currently we have an IPSec tunnel from LAN <--->LAN so the question is how to route the traffic. My question is this:
In Site 1 do I do a static route to force the traffic out?
Do I break the existing connection from LAN to LAN and do the Site 1 VLAN to Site 2 LAN VPN tunnel? Will it let me do a tunnel from a VLAN to a LAN?
Do I create a second tunnel from Site 2 to to both Site 1 LAN and VLAN?
Appreciate your time and input as always experts.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Aaron Tomosky
Agreed, its just a route and probably a firewall rule. No need for another tunnel
it depends on the type of firewall you have.
most firewalls and routers you setup a tunnel interface and then point routes at it like has already been mentioned. In this case, just add another route pointing to the tunnel interface. But make sure routing is setup on both sides so return traffic can get back.
however, i know that it doesn't quite work that way for the cisco PIX/ASA firewalls. there you have to use the route that points you to the internet instead (usually the default route). Then you have to create the ACL for nat 0 (nat exemption) and an ACL used to identify "interesting" traffic that is to go thru the tunnel. In this case you just add the other subnets to the nat 0 ACL and the interesting traffic acl. Then you kill the tunnel SA and let it form again by sending traffic that will be encapsulated in the tunnel.
most firewalls and routers you setup a tunnel interface and then point routes at it like has already been mentioned. In this case, just add another route pointing to the tunnel interface. But make sure routing is setup on both sides so return traffic can get back.
however, i know that it doesn't quite work that way for the cisco PIX/ASA firewalls. there you have to use the route that points you to the internet instead (usually the default route). Then you have to create the ACL for nat 0 (nat exemption) and an ACL used to identify "interesting" traffic that is to go thru the tunnel. In this case you just add the other subnets to the nat 0 ACL and the interesting traffic acl. Then you kill the tunnel SA and let it form again by sending traffic that will be encapsulated in the tunnel.
ASKER
Group,
Thanks so much for your feedback. In our Site2 router (2911) I have added the follow inside the Static and Dynamic Routing but I cannot ping the VLAN gateway in Site 1 at 10.0.2.1 but can ping the LAN gateway via the VPN tunnel at 172.16.8.1. Thanks very much guys!
<Entry>
Prefix: 10.0.2.0
Prefix Mask 255.255.255.0
Forwarding (Next Hop) Interface
Forwarding Interface Gi0/0 (outside interface)
Metric 2
Permanent route <unchecked>
Thanks so much for your feedback. In our Site2 router (2911) I have added the follow inside the Static and Dynamic Routing but I cannot ping the VLAN gateway in Site 1 at 10.0.2.1 but can ping the LAN gateway via the VPN tunnel at 172.16.8.1. Thanks very much guys!
<Entry>
Prefix: 10.0.2.0
Prefix Mask 255.255.255.0
Forwarding (Next Hop) Interface
Forwarding Interface Gi0/0 (outside interface)
Metric 2
Permanent route <unchecked>