I finally got back to this. I

fixitrodd · ‎10-05-2015

I'm having a tough time getting a VPN Tunnel to work and I've built these before. But, this is a scenario I have not been in. I have two sites that are already connected with MPLS. We want to run a new subnet across the internet on a VPN tunnel for backing up servers. It's a new subnet on each side and the internet is already set up at each site as each sites primary internet. Is this possible. I'm attaching a drawing that hopefully will explain. If this is possible I'll dig into the config and ask more help.

Thank You!!!

pjain2 · ‎10-05-2015

setup the l2l tunnel with the new subnets in the crypto acl; you need to make sure that the traffic from that new subnet towards the remote subnet reaches the ASA; you can then add a route for the remote subnet pointing out through your outside interface so that it hits your crypto.

fixitrodd · ‎10-06-2015

I have done that and a route back from the firewall and can ping each router from the asa at its own site but not the router on at the other end (I have enabled icmp in the firewalls). I must have something else mixed up them. I see tunnel built with crypto commands either. I'll try to post relevant parts of the config later today. Thank you for your response.

fixitrodd · ‎10-27-2015

I finally got back to this. I couldn't find any mistakes in the programming at all. I have been trying to ping router to router on each side. Once I did a ping 192.168.1.1 source 192.168.2.1 (with the correct addresses of course) it recognized my source was correct and routed/tunneled appropriate.

So, the diagram I attached above does work no problem as pjain2 stated.

VPN Tunnel ASA 5505 to 5510 to sites that already have MPLS