03-27-2013 09:45 AM - edited 03-07-2019 12:30 PM
I have been tasked with creating a VPN tunnel between our site and a vendor's support center. I successfully created the tunnel, which negotiates fine, but I can't seem to get the traffic flowing properly. The issue that I think I am having is that the vendor is using a public IP address for their remote internal network instead of a public one. At least that's what I think the problem is, but I'm probably wrong Here is a diagram of how the traffic should be flowing:
Office #3 Office #3 Office #1 Office #1 Vendor Vendor
Desktop PC Gateway Gateway Firewall Public IP Private LAN
192.168.5.158 -> 192.168.5.1 -> EVPL -> 192.168.0.11 -> 192.168.0.5 -> Internet -> 68.x.x.x -> 192.68.48.0/22
Cisco 2851 Cisco 2851 ASA 5510 Cisco 7206
When I trace a route from the desktop PC to an IP address on the remote vendor end, instead of going to the ASA the traffic goes to another office. Here is what is happening to the traffic:
1 <1 ms <1 ms <1 ms 192.168.5.1 (Office #3 Gateway)
2 3 ms 3 ms 3 ms 172.20.254.5 (Office #3 EVPL VLAN to Office #2)
3 3 ms 3 ms 3 ms 192.168.1.14 (Office #2 Gateway)
4 4 ms 4 ms 4 ms 173.xxx.xxx.xxx (Public Internet)
The office with the desktop PC has no local internet access, so all internet traffic gets routed to office #2 (192.168.1.0) as shown above. I'm asuming this is happening because the vendor is using a public IP address instead of a private IP address for their network. The routers look for the shortest route, which would be the internet, and then route the traffic there. Instead they should be routing the traffic to office #1's ASA and then on to the remote vendor site. The 2851 routers are using EIGRP. I don't know if that is causing this to happen but I tried adding static routes and the traffic always goes to the same place. I can provide configurations on any of the devices mentioned, save for the vendor's. Thanks for taking the time to read my post and any help is very much appreciated!
Solved! Go to Solution.
03-27-2013 10:24 AM
Hello Crag,
I am assuming your interesting traffic is pointed to: 192.68.48.0 255.255.252.0. I saw your previous post and your interesting traffic on that config was this:
access-list outside_cryptomap_4 extended permit ip host 192.168.5.158 192.68.48.0 255.255.252.0
To me this looks likes a simple routing issue, that should be easily corrected.
On your Office #3 gateway, do a: show ip route 192.68.48.0
On your Office #1 gateway, do a: show ip route 192.68.48.0
Post those results.
If Office #3 isn't routing that network to 192.168.0.11, then you can fix that with possibly adding a static route on Office #1 gateway and redistributing that static route into EIGRP, or just adding a static route on your office #3 gateway router.
Please rate if helpful,
Gabriel
03-27-2013 10:24 AM
Hello Crag,
I am assuming your interesting traffic is pointed to: 192.68.48.0 255.255.252.0. I saw your previous post and your interesting traffic on that config was this:
access-list outside_cryptomap_4 extended permit ip host 192.168.5.158 192.68.48.0 255.255.252.0
To me this looks likes a simple routing issue, that should be easily corrected.
On your Office #3 gateway, do a: show ip route 192.68.48.0
On your Office #1 gateway, do a: show ip route 192.68.48.0
Post those results.
If Office #3 isn't routing that network to 192.168.0.11, then you can fix that with possibly adding a static route on Office #1 gateway and redistributing that static route into EIGRP, or just adding a static route on your office #3 gateway router.
Please rate if helpful,
Gabriel
05-30-2013 11:06 AM
Gabriel,
Thank you very much for your reply. I apologize for not replying to your post sooner, I put this issue on hold and I'm just returning to it now. I haven't been able to test the new static route that I added to Office #1's gateway, but I'm hoping that it will work. I issued the command "show ip route 192.68.48.0" on Office #3's gateway and the result was "Network not in table", I got the same result on Office #1's gateway as well. I assume that means there is no route configured so I went ahead and configured a route that I think will work. On Office #3's gateway, I added the following static route "ip route 192.68.48.0 255.255.252.0 192.168.0.5". My thinking is that I want to route all traffic from the 192.68.48.0 network to the ASA (192.168.0.5). The only other route I could think of adding, if the one above doesn't work, is "ip route 192.68.48.0 255.255.252.0 192.168.0.11". Again, thank you very much for your help it is much appreciated!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide