cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1091
Views
10
Helpful
12
Replies

Site to Site VPN Connection

Shaun McCloud
Level 1
Level 1

                   I am having trouble getting a site to site connection going between a site I am managing and a remote vender. (neither of us are experts)

Can anyone tell me what we are missing?

1 Accepted Solution

Accepted Solutions

Ok,

Hopefully I have understood the situation correctly.

With the below changes all traffic from your LAN network should flow through the L2L VPN connection to the Remote Site. I can't however say what happens to the traffic from there on in. Internet traffic should work just fine.

Your Site ASA

access-list siteA extended permit ip 10.4.200.0 255.255.248.0 any

no access-list siteA extended permit ip LocalNetwork 255.255.248.0 10.4.0.0 255.255.0.0

access-list INSIDE-NAT0 remark NAT0 for L2L VPN traffic

access-list INSIDE-NAT0 permit ip 10.4.200.0 255.255.248.0 any

nat (Inside) 0 access-list INSIDE-NAT0

crypto map Outside_map2 1 match address siteA

Vendor Site ASA

same-security-traffic permit intra-interface

access-list siteA extended permit ip any 10.4.200.0 255.255.248.0

no access-list siteA extended permit ip 10.4.0.0 255.255.0.0 10.4.200.0 255.255.248.0

nat (outside) 1 10.4.200.0 255.255.248.0

This should forward traffic from your site to the remote site if the destination address of the connections is anything other than your LAN network.

It should also enable your site to use the remote sites ASAs Internet connection since we enable the traffic to take a U-turn on the remote ASA "outside" interface and also be Dynamic PATed to the "outside" interface IP address.

- Jouni

View solution in original post

12 Replies 12

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

What is the actual networks on the Vendor site? It has routes for ALL 10-networks. What are the actual networks on the Vendor site that need to use this L2L VPN.

Need to know those to be able to give the exact changes you might need.

- Jouni

My site is 10.4.200.0 255.255.248.0

The goal is to route all our traffic through them (yes even web surfing)

They have 10.4.0.0 because they also use a 10.4.0.0 network on thier local side.

Do I need to have them break up the network on thier side (they do not also have 10.4.200.0 255.255.284.0)?

Hi,

Well you should make sure that there is no overlap between the local network on both sites.

The remote site may have subnet from  the 10.4.0.0 255.255.0.0 but they should not have anything from the 10.4.200.0 255.255.248.0 subnet.

So you dont want to use your own Internet connection for anything else than to tunnel ALL traffic from your site to the remote site from where the connections will head out to the Internet?

- Jouni

The vendor does not have anything in the 10.4.200.0 255.255.248.0 subnet.

We are using the web content filter they have which is why we are tunneling everything back.

Hi,

I am just wondering if you are just forwarding HTTP/HTTPS connections through some device on their site or do you actually forward traffic to ANY destination network through their site no matter what connection we are talking about?

Because it will naturally affect how the configurations should be.

The original configuration that you have attached seems to indicate that you only want to tunnel traffic between local and remote network and therefore it would seem to me that there is probably some device on their site to which you connect.

- Jouni

All traffic to any destination, and of any type through thier network.

The device on thier network that handles the filtering is not a proxy.

Ok,

Hopefully I have understood the situation correctly.

With the below changes all traffic from your LAN network should flow through the L2L VPN connection to the Remote Site. I can't however say what happens to the traffic from there on in. Internet traffic should work just fine.

Your Site ASA

access-list siteA extended permit ip 10.4.200.0 255.255.248.0 any

no access-list siteA extended permit ip LocalNetwork 255.255.248.0 10.4.0.0 255.255.0.0

access-list INSIDE-NAT0 remark NAT0 for L2L VPN traffic

access-list INSIDE-NAT0 permit ip 10.4.200.0 255.255.248.0 any

nat (Inside) 0 access-list INSIDE-NAT0

crypto map Outside_map2 1 match address siteA

Vendor Site ASA

same-security-traffic permit intra-interface

access-list siteA extended permit ip any 10.4.200.0 255.255.248.0

no access-list siteA extended permit ip 10.4.0.0 255.255.0.0 10.4.200.0 255.255.248.0

nat (outside) 1 10.4.200.0 255.255.248.0

This should forward traffic from your site to the remote site if the destination address of the connections is anything other than your LAN network.

It should also enable your site to use the remote sites ASAs Internet connection since we enable the traffic to take a U-turn on the remote ASA "outside" interface and also be Dynamic PATed to the "outside" interface IP address.

- Jouni

When the vendor added his side he got this warning:

Ok – I added the statements but I got this when I added the NAT statement:

(config)# nat (outside) 1 10.4.200.0 255.255.248.0

WARNING: Binding inside nat statement to outermost interface.

WARNING: Keyword "outside" is probably missing.

The statement is there in the config though….

Still not getting the Tunnel established... maybe I am missing somthing else.

Can I not establish it with pings maybe?

Everytime I do a traceroute on my side it goes out our internet connection. So I think something is still not set up right.

Hi,

From where are you doing the ICMP and Traceroute?

- Jouni

I was trying from the inside interface.

I then set up a computer to route through the asa and all is well.

The psk was wrong but after fixing that the tunnel is up and working!


Thanks so much for your help!

Hi,

Good to hear.

I was just asking the above because if you try to traceroute/ICMP from the ASA directly THEN ASA will use the "outside" interfaces IP address as the source for that traffic and it wont match the VPN rules.

So testing any L2L VPN negotiation on the ASA should be done with "packet-tracer" command which usually shows if there is any problems with the VPN portion.

Or you can use a host behind the ASA that matches the L2L VPN configured networks.

Good thing you found the problem with the PSKs as that couldnt be determined by the configurations themselves. Though it would have shown on some further troubleshooting.

If you ever want to know what is configured as the PSK on the ASA (as it shows them as * in the configuration) you can use the following command

more system:running-config

And it will show them in clear text.

- Jouni