Routing traffic from branch through HQ to vendor

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Routing traffic from branch through HQ to vendor

L1 Bithead



Currently Im labing a situtation where I'll need to have branch users route to a vendor through HQ via IPsec tunnels. Users at my banch access can acesss Web/HQ services though the HQ firewall, but when accessing the vendor. Logs show from HQ the attempts to the vendor from the branch office. But nothing but incompletes/aged-out. 


From HQ, I do see active connections for  phaseII for the branch/vendor connection but of course no encap/decaps.


Also I do have redistrabution profiles for Branch and Vendor connections on the HQ firewall.




L1 Bithead

Just found this, which Im spot on. I do worry that my vendor side might be incorrect

L1 Bithead

So found I the problem, or "more of a design issue".


The dynamic vpn setup on my branch side, is the issue to the vendor. I relized that when settting up a direct connection from branch to vendor. The vendor does not support Nat-T!!!! Doh!!!! Which is why I would see the out bound encaps but no decaps back on the HQ side.


Back to the drawing board... Hopefully this stops someone form spinning their wheels

  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!