My site is 10.4.200.0 255.255.248.0

The goal is to route all our traffic through them (yes even web surfing)

They have 10.4.0.0 because they also use a 10.4.0.0 network on thier local side.

Do I need to have them break up the network on thier side (they do not also have 10.4.200.0 255.255.284.0)?

Hi,

Well you should make sure that there is no overlap between the local network on both sites.

The remote site may have subnet from  the 10.4.0.0 255.255.0.0 but they should not have anything from the 10.4.200.0 255.255.248.0 subnet.

So you dont want to use your own Internet connection for anything else than to tunnel ALL traffic from your site to the remote site from where the connections will head out to the Internet?

- Jouni

The vendor does not have anything in the 10.4.200.0 255.255.248.0 subnet.

We are using the web content filter they have which is why we are tunneling everything back.

Hi,

I am just wondering if you are just forwarding HTTP/HTTPS connections through some device on their site or do you actually forward traffic to ANY destination network through their site no matter what connection we are talking about?

Because it will naturally affect how the configurations should be.

The original configuration that you have attached seems to indicate that you only want to tunnel traffic between local and remote network and therefore it would seem to me that there is probably some device on their site to which you connect.

- Jouni

All traffic to any destination, and of any type through thier network.

The device on thier network that handles the filtering is not a proxy.

When the vendor added his side he got this warning:

Ok – I added the statements but I got this when I added the NAT statement:

(config)# nat (outside) 1 10.4.200.0 255.255.248.0

WARNING: Binding inside nat statement to outermost interface.

WARNING: Keyword "outside" is probably missing.

The statement is there in the config though….

Still not getting the Tunnel established... maybe I am missing somthing else.

Can I not establish it with pings maybe?

Everytime I do a traceroute on my side it goes out our internet connection. So I think something is still not set up right.

Hi,

From where are you doing the ICMP and Traceroute?

- Jouni

I was trying from the inside interface.

I then set up a computer to route through the asa and all is well.

The psk was wrong but after fixing that the tunnel is up and working!

Thanks so much for your help!

Hi,

Good to hear.

I was just asking the above because if you try to traceroute/ICMP from the ASA directly THEN ASA will use the "outside" interfaces IP address as the source for that traffic and it wont match the VPN rules.

So testing any L2L VPN negotiation on the ASA should be done with "packet-tracer" command which usually shows if there is any problems with the VPN portion.

Or you can use a host behind the ASA that matches the L2L VPN configured networks.

Good thing you found the problem with the PSKs as that couldnt be determined by the configurations themselves. Though it would have shown on some further troubleshooting.

If you ever want to know what is configured as the PSK on the ASA (as it shows them as * in the configuration) you can use the following command

more system:running-config

And it will show them in clear text.

- Jouni