04-12-2013 07:42 AM - edited 03-11-2019 06:27 PM
Hi everyone,
On ASDM i see that ASA has site to site VPN.
When i click on it it shows
Then below it has Enable interface for IPSEC access
Then there it has interface which goes to ISP and it has check mark on it.
Then under connection profile
It has same Interface name local and remote subnet.
Need to understand that this is IPSEC connection that connects to our other site by the ISP link right?
What are local and remote subnets mean here?
Thanks
MAhesh
Solved! Go to Solution.
04-12-2013 08:00 AM
Hi,
The list of interfaces with the checkboxes simply tell which interfaces are configured to terminate IPsec VPN connections on the ASA. This is usually the "outside" interface or as you say the interface leading to the ISP.
The Local network and Remote network tells which networks use the L2L VPN / Site to Site VPN connection
The Local Network will naturally mean your local networks and the Remote Network the other sites network.
Traffic between these networks is protected by the VPN.
- Jouni
04-12-2013 08:20 AM
Hi,
Yes, its a L2L VPN / Site to Site VPN connection between 2 sites.
Basicly it encapsulates/encrypts all traffic between the local and remote networks when they head out to the Internet / Public Network and therefore keeps the data/information passed secure while its traveling unsecure network.
The L2L VPN / Site to Site VPN connection is built between the 2 VPN devices. Either of the endpoints/devices can negotiate/bring up the L2L VPN connection.
- Jouni
04-12-2013 09:33 AM
Hi,
I highly doubt there is any IPsec between you and the ISP.
Also if the command "show ip address" shows the following
GigabitEthernet0/2.2 WAN 10.x.30.254
Then you can see that the interface "WAN" IP address range is not the same as the IPsec VPN peer IP address. So the IPsec VPN is between your firewall and some remote device.
Though I am not quite sure what the situation in this setup is since you are using Private IP addresses for both the WAN interface and the VPN peer IP address? It would seem that the VPN isnt built through Internet if this is true. It would seem more like its built through dedicated connection between some sites.
Can you please provide some screen show if you refer to something that the ASDM shows. I dont personally use ASDM much so I would like to see what exactly you are referring to.
- Jouni
04-12-2013 09:52 AM
Hi,
Ok, I totally understand if you cant give any more specific information about the configurations BUT I would stress the fact that the less information we get the harder its to understand the situation and give correct information.
And yes, the peer IP address you see on your ASA is the IP address of the remote ASA which is acting as the other endpoint of this IPsec L2L VPN connection.
- Jouni
04-12-2013 08:00 AM
Hi,
The list of interfaces with the checkboxes simply tell which interfaces are configured to terminate IPsec VPN connections on the ASA. This is usually the "outside" interface or as you say the interface leading to the ISP.
The Local network and Remote network tells which networks use the L2L VPN / Site to Site VPN connection
The Local Network will naturally mean your local networks and the Remote Network the other sites network.
Traffic between these networks is protected by the VPN.
- Jouni
04-12-2013 08:10 AM
Hi Jouni,
So this is IPSEC secure connection between 2 sites right?
So when you say this interface that connects to the ISP terminates the connection then where the VPN connection starts?
If you explain me about terminating the VPN connection on ASA in more detail ?
Thanks
Mahesh
04-12-2013 08:20 AM
Hi,
Yes, its a L2L VPN / Site to Site VPN connection between 2 sites.
Basicly it encapsulates/encrypts all traffic between the local and remote networks when they head out to the Internet / Public Network and therefore keeps the data/information passed secure while its traveling unsecure network.
The L2L VPN / Site to Site VPN connection is built between the 2 VPN devices. Either of the endpoints/devices can negotiate/bring up the L2L VPN connection.
- Jouni
04-12-2013 09:17 AM
Hi Jouni,
When i do sh ip on ASA it shows
GigabitEthernet0/2.2 WAN 10.x.30.254 this is isp interface
sh crypto isakmp sa shows
Peer IP 10.x.17.254
ASDM shows ISP interface with IP 10.x.17.254 which is same as peer IP when i run the command sh crypto isakmp sa.
So this mean that this ASA has IPSEC tunnel with ISP Router and its Peer IP is 10.x.17.254 right?
So also we can say that this tunnel starts from ASA from ISP interface which is called WAN and ends at the ISP Router right?
Thanks
MAhesh
04-12-2013 09:33 AM
Hi,
I highly doubt there is any IPsec between you and the ISP.
Also if the command "show ip address" shows the following
GigabitEthernet0/2.2 WAN 10.x.30.254
Then you can see that the interface "WAN" IP address range is not the same as the IPsec VPN peer IP address. So the IPsec VPN is between your firewall and some remote device.
Though I am not quite sure what the situation in this setup is since you are using Private IP addresses for both the WAN interface and the VPN peer IP address? It would seem that the VPN isnt built through Internet if this is true. It would seem more like its built through dedicated connection between some sites.
Can you please provide some screen show if you refer to something that the ASDM shows. I dont personally use ASDM much so I would like to see what exactly you are referring to.
- Jouni
04-12-2013 09:46 AM
Hi Jouni,
i am unable to provide the screenshot from ASDM as due to work policies here
yes you are right VPN goes to our other site over the ISP WAN link.
Its the VPN between two ASA at different locations.
So Peer IP which i see on this ASA will be the ASA at the other site right?
Now we can say that VPN connection starts from the ASA1 by WAN interface goes through the cloud and terminates at ASA2 which is at other site right?
Regards
MAhesh
04-12-2013 09:52 AM
Hi,
Ok, I totally understand if you cant give any more specific information about the configurations BUT I would stress the fact that the less information we get the harder its to understand the situation and give correct information.
And yes, the peer IP address you see on your ASA is the IP address of the remote ASA which is acting as the other endpoint of this IPsec L2L VPN connection.
- Jouni
04-12-2013 09:57 AM
Hi Jouni,
Thanks for understanding and helping me out.
ASA is a big world will lot of things going on.
Seems if continue to learn this way it will take couple of years to know all about ASA
Regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide