Hi Checkmates,

Our customer has several meshed VPN Communities, connecting his HQ with remote sites as well as with suppliers. Situation is as follows for 3 sites:

A (Supplier - Juniper)             B (HQ CP5000)            C (RemoteSite CP14x0)
10.10.0.0/24                            10.200.10.0/24            10.200.201.0/24
10.20.0.0/16                             10.200.11.0/24            10.200.202.0/24
10.40.0.0/16                              10.200.12.0/24

10.0.0.0/8

Policy-based s2s between A and B.

Route-based s2s between B and C.

Users in Site C 10.200.201.0/24 (customer remote site) need to connect to a supplier's server in 10.40.0.0/16. This traffic is allowed and working - my predecessor configured user.def.FW1 for the tunnel between A and B.

Now, due to changes and the supplier being reluctant to configure lots of encryption domains , we were looking into changing themfor the tunnel between A and B. Plan was to set it as follows for our side:

B

10.200.0.0/16

But then traffic between C and A stopped working.

Finally my question:

How can we change B's encryption domain to include C's subnets? Note that also customer does not allow hide NAT because he fears this might interfere with H323 video traffic.

Kind Regards

P