Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
991
Views
0
Helpful
8
Replies

ASDM Site to Site VPN

Go to solution
mahesh18
Level 6
Level 6

‎04-12-2013 07:42 AM - edited ‎03-11-2019 06:27 PM

Hi everyone,

On ASDM  i see that ASA  has site to site VPN.

When i click on it it shows

Then below it has Enable interface for IPSEC access

Then there it has interface which goes to ISP and it has check mark on it.

Then under connection profile

It has same Interface name  local and remote subnet.

Need to understand that this is IPSEC  connection that connects to our other site by the ISP  link right?

What are local and remote subnets mean here?

Thanks

MAhesh

Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-12-2013 08:00 AM

Hi,

The list of interfaces with the checkboxes simply tell which interfaces are configured to terminate IPsec VPN connections on the ASA. This is usually the "outside" interface or as you say the interface leading to the ISP.

The Local network and Remote network tells which networks use the L2L VPN  / Site to Site VPN connection

The Local Network will naturally mean your local networks and the Remote Network the other sites network.

Traffic between these networks is protected by the VPN.

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎04-12-2013 08:20 AM

Hi,

Yes, its a L2L VPN / Site to Site VPN connection between 2 sites.

Basicly it encapsulates/encrypts all traffic between the local and remote networks when they head out to the Internet / Public Network and therefore keeps the data/information passed secure while its traveling unsecure network.

The L2L VPN / Site to Site VPN connection is built between the 2 VPN devices. Either of the endpoints/devices can negotiate/bring up the L2L VPN connection.

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎04-12-2013 09:33 AM

Hi,

I highly doubt there is any IPsec between you and the ISP.

Also if the command "show ip address" shows the following

GigabitEthernet0/2.2     WAN              10.x.30.254

Then you can see that the interface "WAN" IP address range is not the same as the IPsec VPN peer IP address. So the IPsec VPN is between your firewall and some remote device.

Though I am not quite sure what the situation in this setup is since you are using Private IP addresses for both the WAN interface and the VPN peer IP address? It would seem that the VPN isnt built through Internet if this is true. It would seem more like its built through dedicated connection between some sites.

Can you please provide some screen show if you refer to something that the ASDM shows. I dont personally use ASDM much so I would like to see what exactly you are referring to.

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎04-12-2013 09:52 AM

Hi,

Ok, I totally understand if you cant give any more specific information about the configurations BUT I would stress the fact that the less information we get the harder its to understand the situation and give correct information.

And yes, the peer IP address you see on your ASA is the IP address of the remote ASA which is acting as the other endpoint of this IPsec L2L VPN connection.

- Jouni

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-12-2013 08:00 AM

Hi,

The list of interfaces with the checkboxes simply tell which interfaces are configured to terminate IPsec VPN connections on the ASA. This is usually the "outside" interface or as you say the interface leading to the ISP.

The Local network and Remote network tells which networks use the L2L VPN  / Site to Site VPN connection

The Local Network will naturally mean your local networks and the Remote Network the other sites network.

Traffic between these networks is protected by the VPN.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎04-12-2013 08:10 AM

Hi Jouni,

So this is IPSEC  secure connection between 2 sites right?

So when you say this interface that connects to the ISP terminates the connection then where the VPN connection starts?

If you explain me about terminating the VPN connection on ASA  in more detail ?

Thanks

Mahesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎04-12-2013 08:20 AM

Hi,

Yes, its a L2L VPN / Site to Site VPN connection between 2 sites.

Basicly it encapsulates/encrypts all traffic between the local and remote networks when they head out to the Internet / Public Network and therefore keeps the data/information passed secure while its traveling unsecure network.

The L2L VPN / Site to Site VPN connection is built between the 2 VPN devices. Either of the endpoints/devices can negotiate/bring up the L2L VPN connection.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎04-12-2013 09:17 AM

Hi Jouni,

When i do sh ip on ASA  it shows

GigabitEthernet0/2.2     WAN              10.x.30.254   this is isp interface

sh crypto isakmp sa  shows

Peer IP   10.x.17.254

ASDM  shows ISP interface  with IP 10.x.17.254   which is same as peer IP when i run the command sh crypto isakmp sa.

So this mean that this ASA  has IPSEC  tunnel with ISP  Router and its Peer IP is 10.x.17.254 right?

So also we can say that this tunnel starts from ASA  from ISP interface which is called WAN  and ends at the ISP  Router right?

Thanks

MAhesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎04-12-2013 09:33 AM

Hi,

I highly doubt there is any IPsec between you and the ISP.

Also if the command "show ip address" shows the following

GigabitEthernet0/2.2     WAN              10.x.30.254

Then you can see that the interface "WAN" IP address range is not the same as the IPsec VPN peer IP address. So the IPsec VPN is between your firewall and some remote device.

Though I am not quite sure what the situation in this setup is since you are using Private IP addresses for both the WAN interface and the VPN peer IP address? It would seem that the VPN isnt built through Internet if this is true. It would seem more like its built through dedicated connection between some sites.

Can you please provide some screen show if you refer to something that the ASDM shows. I dont personally use ASDM much so I would like to see what exactly you are referring to.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎04-12-2013 09:46 AM

Hi Jouni,

i am unable to  provide the screenshot from ASDM as due to work policies here

yes you are right VPN goes to our other site over the ISP  WAN  link.

Its the VPN between two ASA  at different locations.

So Peer IP which i see on this ASA  will be the ASA  at the other site right?

Now we can say that VPN connection starts from the ASA1  by WAN interface goes through the cloud and terminates at ASA2 which is at other site right?

Regards

MAhesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎04-12-2013 09:52 AM

Hi,

Ok, I totally understand if you cant give any more specific information about the configurations BUT I would stress the fact that the less information we get the harder its to understand the situation and give correct information.

And yes, the peer IP address you see on your ASA is the IP address of the remote ASA which is acting as the other endpoint of this IPsec L2L VPN connection.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎04-12-2013 09:57 AM

Hi Jouni,

Thanks for understanding and helping me out.

ASA   is a big world will lot of things going on.

Seems if continue to learn this way it will take couple of years to know all about ASA

Regards

MAhesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card