Thanks for posting your question on the forum!
Traffic that goes over a VPN tunnel is determined by the traffic specified in the traffic selectors for that particular VPN, also known as VPN selectors. There is no need to add any additional routes or configure policy-based routing. The VPN tunnel uses the branch office's internet connection so it will use the default route. However, we can choose which traffic goes over the VPN tunnel by specifying it in the VPN selectors.
Configuration modifications will need to be made on the branch router as well as the main router for this application to work. The instructions below will use an example where the branch office has a LAN of 192.168.10.0 /24 and HQ has a LAN of 10.10.10.0 /24. The HQ's WAN IP is 22.214.171.124 . You have a customer that has an IP address of 126.96.36.199. You would like to route traffic coming from the branch office destined for your customer at 188.8.131.52 across the VPN tunnel to HQ and then routed out HQ's internet connection.
The branch office will need its VPN selectors defined as the following:
ip access-list ext BranchVPN
permit ip 192.168.10.0 0.0.0.255 10.10.10.0 0.0.0.255 <- For branch to HQ traffic
permit ip 192.168.10.0 0.0.0.255 host 184.108.40.206 <- For branch to customer traffic
HQ will need its VPN selectors defined as the following:
ip access-list ext HQVPN
permit ip 10.10.10.0 0.0.0.255 192.168.10.0.0.0.0.255 <- For HQ to branch traffic
permit ip host 220.127.116.11 192.168.10.0 0.0.0.255 <- For customer to branch traffic
You will also need to configure an additional ACL and make an additional change in HQ's public policy-class/security zone:
ip access-list extended Branch2Customer
permit ip 192.168.10.0 0.0.0.255 host 18.104.22.168
ip policy-class Public
nat source list Branch2Customer address 22.214.171.124 overload <- This will NAT Branch to customer traffic to go out HQ internet connection
allow reverse list HQVPN stateless
You will also need to disable RPF check for the Public policy-class. This can be done with the following command:
no ip policy-class Public rpf-check
Please do not hesitate to let me know if you have any questions.
Thanks for the info. This all makes sense so I gave this a try but no luck. This is the relevant portions of my config. The lines in red are the lines that I added. I replaced the public IP's with 126.96.36.199 and 188.8.131.52 for posting to the forum.
Am I missing something?
Branch Office router
ip access-list extended VPN-10-vpn-selectors
permit ip 10.10.20.0 0.0.0.255 10.10.0.0 0.0.255.255
permit ip 10.10.20.0 0.0.0.255 host 184.108.40.206
ip access-list extended VPN-70-vpn-selectors1
permit ip 10.10.0.0 0.0.255.255 10.10.20.0 0.0.0.255
permit ip host 220.127.116.11 10.10.20.0 0.0.0.255
ip access-list extended RemoteSitesStaticRoutes
permit ip 10.10.20.0 0.0.0.255 host 18.104.22.168
ip policy-class Public-2
nat source list RemoteSitesStaticRoutes address 22.214.171.124 overload
nat destination list OUTSIDE-Numonyx pool POOL-Numonyx
allow list ADTRAN
nat destination list web-acl-20-Comcast address 10.10.2.32
nat destination list web-acl-28-Comcast address 10.10.1.32
nat destination list web-acl-30-Comcast address 10.10.2.41
nat destination list web-acl-32-Comcast address 10.10.8.35
nat destination list web-acl-66-Comcast address 10.10.1.36
nat destination list web-acl-108 address 10.10.3.36 port 80
nat destination list web-acl-110 address 10.10.3.36
nat destination list web-acl-111 address 10.10.1.44
nat destination list web-acl-103 address 10.10.1.36
allow list web-acl-118 self
The commands you entered appear correct. However, I think you will also need to add the "no ip policy-class Public-2 rpf-check" command at the main router. This can be done in config mode.
A good way to try and determine what is happening to the traffic is to issue the "show ip policy-session" command. You should view the Private policy-class at the branch office and the Public-2 policy-class to see if traffic is being passed and NATted the way you want.
Let us know if you have any questions.
Chris- I went ahead and flagged this post as “Assumed Answered.” If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.
Thank you very much, this worked great! Very useful.