Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5934
Views
0
Helpful
4
Replies

Site-to-Site VPN with Public and Private IP

Crag Muer
Level 1
Level 1

‎03-19-2013 01:12 PM

I have been given the task to create a VPN tunnel between our site here and a vendor's support center.  I managed to successfully create the VPN tunnel, which negotiates fine, but can't seem to figure out how to get traffic flowing.  I'm fairly certain the "protected networks" is what is causing the problem and I'm at a loss as to what I need to do.  The vendor gave us this address as the "local" network to send the traffic to:  192.68.48.0/22.  So when I created the tunnel I set the protected addresses to 192.68.48.0/22 and 192.168.5.158 (the PC on our end).  The problem is when I trace a route to a PC on the vendor end at 192.68.48.17 from 192.168.5.158 it tries to go out to the internet because it's not a private IP address.  Do I need to add a routing statement on our internal network router to stop it from sending the traffic to the internet?  I have no idea why the vendor is using public IP addresses internally on their network.  I tried getting them to change that but it wasn't happening.  I think I configured everything correctly on the ASA as the tunnel comes up fine.  I think the configuration needs to be changed on the 2851 router that is sending the traffic out to the internet instead of to the ASA.  Thanks for taking the time to read my post and any help is much appreciated!

Message was edited by Crag Muer:  I accidentally listed the wrong IP addresses and network on the remote end of the VPN.

Labels:
0 Helpful
4 Replies 4

Julio Carvajal
VIP Alumni
VIP Alumni

‎03-19-2013 04:05 PM

Hi Crag,

Can you share a diagram of the topology you are using something like

X.X.X.X----2851 router---YYYY------INTERNET-----ZZZ---ASA----AAAAA

Where X,Y,Z,A are the Subnets of the devices, X and A are the ones that are going to be protected via the VPN tunnel,

I would also like to see the entire VPN setup on both devices, also the NO-Nat config

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Crag Muer
Level 1
Level 1
In response to Julio Carvajal

‎03-20-2013 02:34 PM

JCarvaja,

Thanks a lot for replying to my post, it is much appreciated!  I will try to further explain the network topology involved in the issue that I am having.  I would like to add something that I did not mention in my original post as I wasn't sure if it had bearing on the issue or not.  We have 3 offices that are inter-connected with each other through EVPL service.  The diagram below is how the topology should look when everything is working:  (192.168.5.158 and 192.68.48.0/22 are the addresses that are in the crypto map for the VPN)

Office #3              Gateway                       Gateway           Office #1 Firewall            Vendor Router

192.168.5.158 -> 192.168.5.1 -> EVPL -> 192.168.0.11 -> 192.168.0.5 -> Internet -> 68.x.x.x -> 192.68.48.0/22

Desktop PC           Cisco 2851                    Cisco 2851        ASA 5510                        Cisco 7206   Vendor Network

This is how the traffic is flowing when I run a traceroute from 192.168.5.158 to 192.68.48.17:

  Office #3               Gateway                          Office #2

192.168.5.158 ---> 192.168.5.1 ---> EVPL ---> 192.168.1.14 ---> Internet

  Desktop PC          Cisco 2851                       Cisco 2851

The 2851 routers are running EIGRP.  Internet access for office #3 gets routed to office #2 as office #3 doesn't have an internet connection.  What should be happening, if I understand it correctly, is traffic from 192.168.5.158 should be going to the ASA in office #1 then out to the internet and on to the vendor endpoint.  However it is getting routed to office #2's internet since the vendor's local network is a public IP address, is that correct?  Is it possible to just put a routing statement in office #3's 2851 to route the traffic to the ASA instead of the internet?  I attached a redacted copy of the ASA 5510 running configuration mentioned above.  I can also do the same for any of the 2851 routers involved.  I won't be able to get the vendor's router configuration but I can ask them to send me over information on a specific question if you have one.  Again, thanks a lot for your time and I really appreciate it!

15356822-running-config.txt.zip
0 Helpful

mbmcadams
Level 1
Level 1
In response to Crag Muer

‎04-22-2013 08:38 AM

I just happened across your post while researching something else.  Are you sure the network on the other side is 192.68.48.0/22?

I have a good feeling it's supposed to be 192.168.48.0/22 but something got mixed up somewhere.

0 Helpful

Crag Muer
Level 1
Level 1
In response to mbmcadams

‎05-30-2013 11:18 AM

Marshall,

I am just returning to this issue now and I have confirmed that the vendor network mentioned above is correct.  Originally they used the 192.168.x.x address space and have now switched to 192.68.48.x  They didn't mention why but they are indeed using that address.  I think I have this issue figured out by adding a route to Office #3's gateway pointing traffic to the ASA in Office #1, "ip route 192.68.48.0 255.255.252.0 192.168.0.5".  I haven't been able to test this yet but hopefully it works.  I'm not sure if I need to route traffic to the ASA 0.5 or to the gateway address of 0.11, but I shall soon find out!

0 Helpful
Customers Also Viewed These Support Documents