I have been given the task to create a VPN tunnel between our site here and a vendor's support center. I managed to successfully create the VPN tunnel, which negotiates fine, but can't seem to figure out how to get traffic flowing. I'm fairly certain the "protected networks" is what is causing the problem and I'm at a loss as to what I need to do. The vendor gave us this address as the "local" network to send the traffic to: 22.214.171.124/22. So when I created the tunnel I set the protected addresses to 126.96.36.199/22 and 192.168.5.158 (the PC on our end). The problem is when I trace a route to a PC on the vendor end at 188.8.131.52 from 192.168.5.158 it tries to go out to the internet because it's not a private IP address. Do I need to add a routing statement on our internal network router to stop it from sending the traffic to the internet? I have no idea why the vendor is using public IP addresses internally on their network. I tried getting them to change that but it wasn't happening. I think I configured everything correctly on the ASA as the tunnel comes up fine. I think the configuration needs to be changed on the 2851 router that is sending the traffic out to the internet instead of to the ASA. Thanks for taking the time to read my post and any help is much appreciated!
Message was edited by Crag Muer: I accidentally listed the wrong IP addresses and network on the remote end of the VPN.
Can you share a diagram of the topology you are using something like
Where X,Y,Z,A are the Subnets of the devices, X and A are the ones that are going to be protected via the VPN tunnel,
I would also like to see the entire VPN setup on both devices, also the NO-Nat config
Thanks a lot for replying to my post, it is much appreciated! I will try to further explain the network topology involved in the issue that I am having. I would like to add something that I did not mention in my original post as I wasn't sure if it had bearing on the issue or not. We have 3 offices that are inter-connected with each other through EVPL service. The diagram below is how the topology should look when everything is working: (192.168.5.158 and 184.108.40.206/22 are the addresses that are in the crypto map for the VPN)
Office #3 Gateway Gateway Office #1 Firewall Vendor Router
192.168.5.158 -> 192.168.5.1 -> EVPL -> 192.168.0.11 -> 192.168.0.5 -> Internet -> 68.x.x.x -> 220.127.116.11/22
Desktop PC Cisco 2851 Cisco 2851 ASA 5510 Cisco 7206 Vendor Network
This is how the traffic is flowing when I run a traceroute from 192.168.5.158 to 18.104.22.168:
Office #3 Gateway Office #2
192.168.5.158 ---> 192.168.5.1 ---> EVPL ---> 192.168.1.14 ---> Internet
Desktop PC Cisco 2851 Cisco 2851
The 2851 routers are running EIGRP. Internet access for office #3 gets routed to office #2 as office #3 doesn't have an internet connection. What should be happening, if I understand it correctly, is traffic from 192.168.5.158 should be going to the ASA in office #1 then out to the internet and on to the vendor endpoint. However it is getting routed to office #2's internet since the vendor's local network is a public IP address, is that correct? Is it possible to just put a routing statement in office #3's 2851 to route the traffic to the ASA instead of the internet? I attached a redacted copy of the ASA 5510 running configuration mentioned above. I can also do the same for any of the 2851 routers involved. I won't be able to get the vendor's router configuration but I can ask them to send me over information on a specific question if you have one. Again, thanks a lot for your time and I really appreciate it!
I just happened across your post while researching something else. Are you sure the network on the other side is 22.214.171.124/22?
I have a good feeling it's supposed to be 192.168.48.0/22 but something got mixed up somewhere.
I am just returning to this issue now and I have confirmed that the vendor network mentioned above is correct. Originally they used the 192.168.x.x address space and have now switched to 192.68.48.x They didn't mention why but they are indeed using that address. I think I have this issue figured out by adding a route to Office #3's gateway pointing traffic to the ASA in Office #1, "ip route 126.96.36.199 255.255.252.0 192.168.0.5". I haven't been able to test this yet but hopefully it works. I'm not sure if I need to route traffic to the ASA 0.5 or to the gateway address of 0.11, but I shall soon find out!