Showing results for 
Search instead for 
Did you mean: 

Cisco Community Designated VIP Class of 2020


Site-to-Site VPN with Public and Private IP

I have been given the task to create a VPN tunnel between our site here and a vendor's support center.  I managed to successfully create the VPN tunnel, which negotiates fine, but can't seem to figure out how to get traffic flowing.  I'm fairly certain the "protected networks" is what is causing the problem and I'm at a loss as to what I need to do.  The vendor gave us this address as the "local" network to send the traffic to:  So when I created the tunnel I set the protected addresses to and (the PC on our end).  The problem is when I trace a route to a PC on the vendor end at from it tries to go out to the internet because it's not a private IP address.  Do I need to add a routing statement on our internal network router to stop it from sending the traffic to the internet?  I have no idea why the vendor is using public IP addresses internally on their network.  I tried getting them to change that but it wasn't happening.  I think I configured everything correctly on the ASA as the tunnel comes up fine.  I think the configuration needs to be changed on the 2851 router that is sending the traffic out to the internet instead of to the ASA.  Thanks for taking the time to read my post and any help is much appreciated!

Message was edited by Crag Muer:  I accidentally listed the wrong IP addresses and network on the remote end of the VPN.

Everyone's tags (4)

Site-to-Site VPN with Public and Private IP

Hi Crag,

Can you share a diagram of the topology you are using something like

X.X.X.X----2851 router---YYYY------INTERNET-----ZZZ---ASA----AAAAA

Where X,Y,Z,A are the Subnets of the devices, X and A are the ones that are going to be protected via the VPN tunnel,

I would also like to see the entire VPN setup on both devices, also the NO-Nat config


Julio Carvajal
Senior Network Security and Core Specialist

Re: Site-to-Site VPN with Public and Private IP


Thanks a lot for replying to my post, it is much appreciated!  I will try to further explain the network topology involved in the issue that I am having.  I would like to add something that I did not mention in my original post as I wasn't sure if it had bearing on the issue or not.  We have 3 offices that are inter-connected with each other through EVPL service.  The diagram below is how the topology should look when everything is working:  ( and are the addresses that are in the crypto map for the VPN)

Office #3              Gateway                       Gateway           Office #1 Firewall            Vendor Router -> -> EVPL -> -> -> Internet -> 68.x.x.x ->

Desktop PC           Cisco 2851                    Cisco 2851        ASA 5510                        Cisco 7206   Vendor Network

This is how the traffic is flowing when I run a traceroute from to

  Office #3               Gateway                          Office #2 ---> ---> EVPL ---> ---> Internet

  Desktop PC          Cisco 2851                       Cisco 2851

The 2851 routers are running EIGRP.  Internet access for office #3 gets routed to office #2 as office #3 doesn't have an internet connection.  What should be happening, if I understand it correctly, is traffic from should be going to the ASA in office #1 then out to the internet and on to the vendor endpoint.  However it is getting routed to office #2's internet since the vendor's local network is a public IP address, is that correct?  Is it possible to just put a routing statement in office #3's 2851 to route the traffic to the ASA instead of the internet?  I attached a redacted copy of the ASA 5510 running configuration mentioned above.  I can also do the same for any of the 2851 routers involved.  I won't be able to get the vendor's router configuration but I can ask them to send me over information on a specific question if you have one.  Again, thanks a lot for your time and I really appreciate it!


Site-to-Site VPN with Public and Private IP

I just happened across your post while researching something else.  Are you sure the network on the other side is

I have a good feeling it's supposed to be but something got mixed up somewhere.


Re: Site-to-Site VPN with Public and Private IP


I am just returning to this issue now and I have confirmed that the vendor network mentioned above is correct.  Originally they used the 192.168.x.x address space and have now switched to 192.68.48.x  They didn't mention why but they are indeed using that address.  I think I have this issue figured out by adding a route to Office #3's gateway pointing traffic to the ASA in Office #1, "ip route".  I haven't been able to test this yet but hopefully it works.  I'm not sure if I need to route traffic to the ASA 0.5 or to the gateway address of 0.11, but I shall soon find out!

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here