Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Explorer

Route traffic between branch offices/partners via site-to-site VPN tunnels

How should I build a site-to-site VPN between HQ and Partner, and allow HQ/Site-A/Site-B to access resources at Partner?

  • HQ: Checkpoint FW (R77.30) with 10.0.0.0/8
  • Site-A: Cisco ASA with 192.168.1.0/24
  • Site-B: Cisco ASA with 192.168.2.0/24
  • Partner: Cisco ASA with 172.16.0.0/16

  • Star community HQ-A on GW-HQ is working. All traffic from Site-A go through HQ including Internet traffic.
  • Star community HQ-B on GW-HQ is working. Site-B has its own Internet.
  • A new tunnel to be built between HQ and Partner. HQ, Site-A and Site-B need to access some resources at Partner. All traffic will be hiding behind a single IP.

The first thought is to put GW-HQ, GW-A, GW-B and GW-Partner in a Star community with GW-HQ being the Center Gateway. The challenge is all settings (except PSK?) need to be the same for all tunnels in this community. However, since Site-A sends all traffic to HQ so it has some special requirements such as “One VPN tunnel per Gateway pair” and “To center, or through the center to other satellites, to internet and other VPN targets” being checked. Site-B and Partner have to use “One VPN tunnel per each pair of hosts” or “One VPN tunnel per subnet pair”.

Domain based VPN is in use.

Thanks in advance.

0 Kudos
Reply
0 Replies