Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site to Site VPN Connection

                   I am having trouble getting a site to site connection going between a site I am managing and a remote vender. (neither of us are experts)

Can anyone tell me what we are missing?

  • VPN
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Site to Site VPN Connection

Ok,

Hopefully I have understood the situation correctly.

With the below changes all traffic from your LAN network should flow through the L2L VPN connection to the Remote Site. I can't however say what happens to the traffic from there on in. Internet traffic should work just fine.

Your Site ASA

access-list siteA extended permit ip 10.4.200.0 255.255.248.0 any

no access-list siteA extended permit ip LocalNetwork 255.255.248.0 10.4.0.0 255.255.0.0

access-list INSIDE-NAT0 remark NAT0 for L2L VPN traffic

access-list INSIDE-NAT0 permit ip 10.4.200.0 255.255.248.0 any

nat (Inside) 0 access-list INSIDE-NAT0

crypto map Outside_map2 1 match address siteA

Vendor Site ASA

same-security-traffic permit intra-interface

access-list siteA extended permit ip any 10.4.200.0 255.255.248.0

no access-list siteA extended permit ip 10.4.0.0 255.255.0.0 10.4.200.0 255.255.248.0

nat (outside) 1 10.4.200.0 255.255.248.0

This should forward traffic from your site to the remote site if the destination address of the connections is anything other than your LAN network.

It should also enable your site to use the remote sites ASAs Internet connection since we enable the traffic to take a U-turn on the remote ASA "outside" interface and also be Dynamic PATed to the "outside" interface IP address.

- Jouni

12 REPLIES
Super Bronze

Site to Site VPN Connection

Hi,

What is the actual networks on the Vendor site? It has routes for ALL 10-networks. What are the actual networks on the Vendor site that need to use this L2L VPN.

Need to know those to be able to give the exact changes you might need.

- Jouni

New Member

Site to Site VPN Connection

My site is 10.4.200.0 255.255.248.0

The goal is to route all our traffic through them (yes even web surfing)

They have 10.4.0.0 because they also use a 10.4.0.0 network on thier local side.

Do I need to have them break up the network on thier side (they do not also have 10.4.200.0 255.255.284.0)?

Super Bronze

Site to Site VPN Connection

Hi,

Well you should make sure that there is no overlap between the local network on both sites.

The remote site may have subnet from  the 10.4.0.0 255.255.0.0 but they should not have anything from the 10.4.200.0 255.255.248.0 subnet.

So you dont want to use your own Internet connection for anything else than to tunnel ALL traffic from your site to the remote site from where the connections will head out to the Internet?

- Jouni

New Member

Site to Site VPN Connection

The vendor does not have anything in the 10.4.200.0 255.255.248.0 subnet.

We are using the web content filter they have which is why we are tunneling everything back.

Super Bronze

Site to Site VPN Connection

Hi,

I am just wondering if you are just forwarding HTTP/HTTPS connections through some device on their site or do you actually forward traffic to ANY destination network through their site no matter what connection we are talking about?

Because it will naturally affect how the configurations should be.

The original configuration that you have attached seems to indicate that you only want to tunnel traffic between local and remote network and therefore it would seem to me that there is probably some device on their site to which you connect.

- Jouni

New Member

Site to Site VPN Connection

All traffic to any destination, and of any type through thier network.

The device on thier network that handles the filtering is not a proxy.

Super Bronze

Site to Site VPN Connection

Ok,

Hopefully I have understood the situation correctly.

With the below changes all traffic from your LAN network should flow through the L2L VPN connection to the Remote Site. I can't however say what happens to the traffic from there on in. Internet traffic should work just fine.

Your Site ASA

access-list siteA extended permit ip 10.4.200.0 255.255.248.0 any

no access-list siteA extended permit ip LocalNetwork 255.255.248.0 10.4.0.0 255.255.0.0

access-list INSIDE-NAT0 remark NAT0 for L2L VPN traffic

access-list INSIDE-NAT0 permit ip 10.4.200.0 255.255.248.0 any

nat (Inside) 0 access-list INSIDE-NAT0

crypto map Outside_map2 1 match address siteA

Vendor Site ASA

same-security-traffic permit intra-interface

access-list siteA extended permit ip any 10.4.200.0 255.255.248.0

no access-list siteA extended permit ip 10.4.0.0 255.255.0.0 10.4.200.0 255.255.248.0

nat (outside) 1 10.4.200.0 255.255.248.0

This should forward traffic from your site to the remote site if the destination address of the connections is anything other than your LAN network.

It should also enable your site to use the remote sites ASAs Internet connection since we enable the traffic to take a U-turn on the remote ASA "outside" interface and also be Dynamic PATed to the "outside" interface IP address.

- Jouni

New Member

Site to Site VPN Connection

When the vendor added his side he got this warning:

Ok – I added the statements but I got this when I added the NAT statement:

(config)# nat (outside) 1 10.4.200.0 255.255.248.0

WARNING: Binding inside nat statement to outermost interface.

WARNING: Keyword "outside" is probably missing.

The statement is there in the config though….

New Member

Site to Site VPN Connection

Still not getting the Tunnel established... maybe I am missing somthing else.

Can I not establish it with pings maybe?

Everytime I do a traceroute on my side it goes out our internet connection. So I think something is still not set up right.

355
Views
10
Helpful
12
Replies