cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
609
Views
0
Helpful
2
Replies
Beginner

Site-to-Site VPN through EVPL Issue

I have been tasked with creating a VPN tunnel between our site and a vendor's support center.  I successfully created the tunnel, which negotiates fine, but I can't seem to get the traffic flowing properly.  The issue that I think I am having is that the vendor is using a public IP address for their remote internal network instead of a public one.  At least that's what I think the problem is, but I'm probably wrong   Here is a diagram of how the traffic should be flowing:

Office #3             Office #3                       Office #1            Office #1                         Vendor       Vendor

Desktop PC          Gateway                        Gateway            Firewall                           Public IP     Private LAN

192.168.5.158 -> 192.168.5.1 -> EVPL -> 192.168.0.11 -> 192.168.0.5 -> Internet -> 68.x.x.x -> 192.68.48.0/22

                             Cisco 2851                    Cisco 2851        ASA 5510                      Cisco 7206

When I trace a route from the desktop PC to an IP address on the remote vendor end, instead of going to the ASA the traffic goes to another office.  Here is what is happening to the traffic:

1     <1 ms     <1 ms     <1 ms     192.168.5.1          (Office #3 Gateway)

2       3 ms       3 ms       3 ms     172.20.254.5        (Office #3 EVPL VLAN to Office #2)

3       3 ms       3 ms       3 ms     192.168.1.14        (Office #2 Gateway)

4       4 ms       4 ms       4 ms     173.xxx.xxx.xxx   (Public Internet)

The office with the desktop PC has no local internet access, so all internet traffic gets routed to office #2 (192.168.1.0) as shown above.  I'm asuming this is happening because the vendor is using a public IP address instead of a private IP address for their network.  The routers look for the shortest route, which would be the internet, and then route the traffic there.  Instead they should be routing the traffic to office #1's ASA and then on to the remote vendor site.  The 2851 routers are using EIGRP.  I don't know if that is causing this to happen but I tried adding static routes and the traffic always goes to the same place.  I can provide configurations on any of the devices mentioned, save for the vendor's.  Thanks for taking the time to read my post and any help is very much appreciated!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Site-to-Site VPN through EVPL Issue

Hello Crag,

I am assuming your interesting traffic is pointed to: 192.68.48.0 255.255.252.0. I saw your previous post and your interesting traffic on that config was this:

access-list outside_cryptomap_4 extended permit ip host 192.168.5.158 192.68.48.0 255.255.252.0

To me this looks likes a simple routing issue, that should be easily corrected.

On your Office #3 gateway, do a: show ip route 192.68.48.0

On your Office #1 gateway, do a: show ip route 192.68.48.0

Post those results.

If Office #3 isn't routing that network to 192.168.0.11, then you can fix that with possibly adding a static route on Office #1 gateway and redistributing that static route into EIGRP, or just adding a static route on your office #3 gateway router.

Please rate if helpful,
Gabriel

View solution in original post

2 REPLIES 2
Highlighted
Beginner

Site-to-Site VPN through EVPL Issue

Hello Crag,

I am assuming your interesting traffic is pointed to: 192.68.48.0 255.255.252.0. I saw your previous post and your interesting traffic on that config was this:

access-list outside_cryptomap_4 extended permit ip host 192.168.5.158 192.68.48.0 255.255.252.0

To me this looks likes a simple routing issue, that should be easily corrected.

On your Office #3 gateway, do a: show ip route 192.68.48.0

On your Office #1 gateway, do a: show ip route 192.68.48.0

Post those results.

If Office #3 isn't routing that network to 192.168.0.11, then you can fix that with possibly adding a static route on Office #1 gateway and redistributing that static route into EIGRP, or just adding a static route on your office #3 gateway router.

Please rate if helpful,
Gabriel

View solution in original post

Highlighted
Beginner

Site-to-Site VPN through EVPL Issue

Gabriel,

Thank you very much for your reply.  I apologize for not replying to your post sooner, I put this issue on hold and I'm just returning to it now.  I haven't been able to test the new static route that I added to Office #1's gateway, but I'm hoping that it will work.  I issued the command "show ip route 192.68.48.0" on Office #3's gateway and the result was "Network not in table", I got the same result on Office #1's gateway as well.  I assume that means there is no route configured so I went ahead and configured a route that I think will work.  On Office #3's gateway, I added the following static route "ip route 192.68.48.0 255.255.252.0 192.168.0.5".  My thinking is that I want to route all traffic from the 192.68.48.0 network to the ASA (192.168.0.5).  The only other route I could think of adding, if the one above doesn't work, is "ip route 192.68.48.0 255.255.252.0 192.168.0.11".  Again, thank you very much for your help it is much appreciated!

CreatePlease to create content
Content for Community-Ad