Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
889
Views
10
Helpful
12
Replies

Site to Site VPN Connection

Go to solution
Shaun McCloud
Level 1
Level 1

‎08-01-2013 11:34 AM

                   I am having trouble getting a site to site connection going between a site I am managing and a remote vender. (neither of us are experts)

Can anyone tell me what we are missing?

Labels:
15365060-oursite.log.zip
15365115-vender.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Shaun McCloud

‎08-01-2013 01:38 PM

Ok,

Hopefully I have understood the situation correctly.

With the below changes all traffic from your LAN network should flow through the L2L VPN connection to the Remote Site. I can't however say what happens to the traffic from there on in. Internet traffic should work just fine.

Your Site ASA

access-list siteA extended permit ip 10.4.200.0 255.255.248.0 any

no access-list siteA extended permit ip LocalNetwork 255.255.248.0 10.4.0.0 255.255.0.0

access-list INSIDE-NAT0 remark NAT0 for L2L VPN traffic

access-list INSIDE-NAT0 permit ip 10.4.200.0 255.255.248.0 any

nat (Inside) 0 access-list INSIDE-NAT0

crypto map Outside_map2 1 match address siteA

Vendor Site ASA

same-security-traffic permit intra-interface

access-list siteA extended permit ip any 10.4.200.0 255.255.248.0

no access-list siteA extended permit ip 10.4.0.0 255.255.0.0 10.4.200.0 255.255.248.0

nat (outside) 1 10.4.200.0 255.255.248.0

This should forward traffic from your site to the remote site if the destination address of the connections is anything other than your LAN network.

It should also enable your site to use the remote sites ASAs Internet connection since we enable the traffic to take a U-turn on the remote ASA "outside" interface and also be Dynamic PATed to the "outside" interface IP address.

- Jouni

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-01-2013 11:44 AM

Hi,

What is the actual networks on the Vendor site? It has routes for ALL 10-networks. What are the actual networks on the Vendor site that need to use this L2L VPN.

Need to know those to be able to give the exact changes you might need.

- Jouni

Go to solution
Shaun McCloud
Level 1
Level 1
In response to Jouni Forss

‎08-01-2013 11:49 AM

My site is 10.4.200.0 255.255.248.0

The goal is to route all our traffic through them (yes even web surfing)

They have 10.4.0.0 because they also use a 10.4.0.0 network on thier local side.

Do I need to have them break up the network on thier side (they do not also have 10.4.200.0 255.255.284.0)?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Shaun McCloud

‎08-01-2013 11:53 AM

Hi,

Well you should make sure that there is no overlap between the local network on both sites.

The remote site may have subnet from  the 10.4.0.0 255.255.0.0 but they should not have anything from the 10.4.200.0 255.255.248.0 subnet.

So you dont want to use your own Internet connection for anything else than to tunnel ALL traffic from your site to the remote site from where the connections will head out to the Internet?

- Jouni

Go to solution
Shaun McCloud
Level 1
Level 1
In response to Jouni Forss

‎08-01-2013 11:58 AM

The vendor does not have anything in the 10.4.200.0 255.255.248.0 subnet.

We are using the web content filter they have which is why we are tunneling everything back.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Shaun McCloud

‎08-01-2013 12:04 PM

Hi,

I am just wondering if you are just forwarding HTTP/HTTPS connections through some device on their site or do you actually forward traffic to ANY destination network through their site no matter what connection we are talking about?

Because it will naturally affect how the configurations should be.

The original configuration that you have attached seems to indicate that you only want to tunnel traffic between local and remote network and therefore it would seem to me that there is probably some device on their site to which you connect.

- Jouni

0 Helpful

Go to solution
Shaun McCloud
Level 1
Level 1
In response to Jouni Forss

‎08-01-2013 01:23 PM

All traffic to any destination, and of any type through thier network.

The device on thier network that handles the filtering is not a proxy.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Shaun McCloud

‎08-01-2013 01:38 PM

Ok,

Hopefully I have understood the situation correctly.

With the below changes all traffic from your LAN network should flow through the L2L VPN connection to the Remote Site. I can't however say what happens to the traffic from there on in. Internet traffic should work just fine.

Your Site ASA

access-list siteA extended permit ip 10.4.200.0 255.255.248.0 any

no access-list siteA extended permit ip LocalNetwork 255.255.248.0 10.4.0.0 255.255.0.0

access-list INSIDE-NAT0 remark NAT0 for L2L VPN traffic

access-list INSIDE-NAT0 permit ip 10.4.200.0 255.255.248.0 any

nat (Inside) 0 access-list INSIDE-NAT0

crypto map Outside_map2 1 match address siteA

Vendor Site ASA

same-security-traffic permit intra-interface

access-list siteA extended permit ip any 10.4.200.0 255.255.248.0

no access-list siteA extended permit ip 10.4.0.0 255.255.0.0 10.4.200.0 255.255.248.0

nat (outside) 1 10.4.200.0 255.255.248.0

This should forward traffic from your site to the remote site if the destination address of the connections is anything other than your LAN network.

It should also enable your site to use the remote sites ASAs Internet connection since we enable the traffic to take a U-turn on the remote ASA "outside" interface and also be Dynamic PATed to the "outside" interface IP address.

- Jouni

0 Helpful

Go to solution
Shaun McCloud
Level 1
Level 1
In response to Jouni Forss

‎08-01-2013 04:17 PM

When the vendor added his side he got this warning:

Ok – I added the statements but I got this when I added the NAT statement:

(config)# nat (outside) 1 10.4.200.0 255.255.248.0

WARNING: Binding inside nat statement to outermost interface.

WARNING: Keyword "outside" is probably missing.

The statement is there in the config though….

0 Helpful

Go to solution
Shaun McCloud
Level 1
Level 1
In response to Shaun McCloud

‎08-01-2013 04:34 PM

Still not getting the Tunnel established... maybe I am missing somthing else.

Can I not establish it with pings maybe?

Everytime I do a traceroute on my side it goes out our internet connection. So I think something is still not set up right.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Shaun McCloud

‎08-01-2013 05:11 PM

Hi,

From where are you doing the ICMP and Traceroute?

- Jouni

0 Helpful

Go to solution
Shaun McCloud
Level 1
Level 1
In response to Jouni Forss

‎08-02-2013 09:00 AM

I was trying from the inside interface.

I then set up a computer to route through the asa and all is well.

The psk was wrong but after fixing that the tunnel is up and working!


Thanks so much for your help!

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Shaun McCloud

‎08-02-2013 09:06 AM

Hi,

Good to hear.

I was just asking the above because if you try to traceroute/ICMP from the ASA directly THEN ASA will use the "outside" interfaces IP address as the source for that traffic and it wont match the VPN rules.

So testing any L2L VPN negotiation on the ASA should be done with "packet-tracer" command which usually shows if there is any problems with the VPN portion.

Or you can use a host behind the ASA that matches the L2L VPN configured networks.

Good thing you found the problem with the PSKs as that couldnt be determined by the configurations themselves. Though it would have shown on some further troubleshooting.

If you ever want to know what is configured as the PSK on the ASA (as it shows them as * in the configuration) you can use the following command

more system:running-config

And it will show them in clear text.

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents