My suggestion was to stick a 172 out at these small remotes, but network guys are squalling about their acls everywhere.
They said "can't we just ip route the 10./8 to the public ip and the Tik would encapsulate the traffic on across the tunnel!?" I'm not sure of the answer to that, but it doesn't seem like it would work in my mind. ___________________________ Mangled by my iPhone. ___________________________ Tyler Treat Corn Belt Technologies, Inc. [email protected]<mailto:[email protected]> ___________________________ On Nov 4, 2015, at 5:28 PM, Vlad Sedov <[email protected]<mailto:[email protected]>> wrote: You can use address lists on nat rules, but not on ipsec policies. It would be easier if both ends were Tiks, so you could just do transport mode and EoIP tunnel in between, and just set static routes back and forth. I would re-number the smaller net.. Maybe there's some other kung-fu that might work, like 1-to-1 NAT on the Tik, but that's a back-asswards solution. Vlad On 11/4/2015 5:18 PM, Tyler Treat wrote: Yeah. ??(1/2)I sorta inherited it. ??(1/2) Would it be feasible to build an address list of all the subnets *except* the 10.11.160.x and tell it "this list is across the tunnel"? ___________________________ Mangled by my iPhone. ___________________________ Tyler Treat Corn Belt Technologies, Inc.??(1/2) [email protected]<mailto:[email protected]> ___________________________ On Nov 4, 2015, at 5:14 PM, Vlad Sedov <<mailto:[email protected]>[email protected]<mailto:[email protected]>> wrote: So you have 10/8 on one end and 10.11.160/24 on the other? Yeah that could get messy.. Vlad On 11/4/2015 5:11 PM, Tyler Treat wrote: well.... i think we're gonna have an issue. 10.11.160.0 is the local, everything else 10.x.x.x is at the other end. ??(1/2)??(1/2) Not sure how to address that with the nat rule. ??(1/2) Almost need to have a 172.x to provide some separation ________________________________ From: Af <[email protected]><mailto:[email protected]> on behalf of Vlad Sedov <[email protected]><mailto:[email protected]> Sent: Wednesday, November 4, 2015 4:50 PM To: [email protected]<mailto:[email protected]> Subject: Re: [AFMUG] Tik to Cisco VPN ??(1/2) This happens via the IPSec policy, as long as source and destination match. Don't forget the srcnat accept rule from local net to remote, and place it above all other nat rules. Vlad On 11/4/2015 4:46 PM, Tyler Treat wrote: Following up on this -??(1/2) Got the tunnel up, but in the Tik, where do I point my local subnet to send the traffic across the tunnel? for example is 10.x.x.x is across the tunnel, where do i tell the Tik to send that traffic. ________________________________ From: Af <[email protected]><mailto:[email protected]> on behalf of Josh Luthman <mailto:[email protected]> <[email protected]><mailto:[email protected]> Sent: Friday, October 30, 2015 8:57 AM To: [email protected]<mailto:[email protected]> Subject: Re: [AFMUG] Tik to Cisco VPN ??(1/2) Read the wiki page on it to get the values all married up. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Oct 30, 2015 9:47 AM, "Tyler Treat" <<mailto:[email protected]>[email protected]<mailto:[email protected]>> wrote: Any gotchas when doing a Tik to Cisco ASA VPN? Known issues? ___________________________ Mangled by my iPhone. ___________________________ Tyler Treat Corn Belt Technologies, Inc. [email protected]<mailto:[email protected]> ___________________________
