Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6440
Views
0
Helpful
6
Replies

Site to site Encryption domain IP address

balajirajahpb
Level 1
Level 1

‎10-04-2010 06:55 AM

Dear All,

I need to clarify some thing. For example VPN site to site tunnel need to be established.

For example my outside interface of ASA is in 10.1.1.0/24 network will it be possible to use 10.1.1.32/32 in the VPN encyption domain (Interesting traffic) ??

Please clarify. I hope I explained correctly. Attached the diagram for more clear picture

Regards

Balajirajah P B

Labels:
Preview file
34 KB
0 Helpful
6 Replies 6

Jitendriya Athavale
Cisco Employee
Cisco Employee

‎10-04-2010 08:12 AM

what network do you have behind the left firewall???

i dont see too much problem having vpn for this setup but again have never tried it out, do you see any specfic problem trying to get this working

just to be on safer side what i would do is nat this one host / network when trying to get over vpn so that when the left firewall see's the packet it is from a different source ip

0 Helpful

Rudresh Veerappaji
Cisco Employee
Cisco Employee

‎10-04-2010 08:52 AM

Hi Balajirajah,

For the tunnel, do you wish to send traffic to only the host 10.1.1.32/32 as the remote network? If yes, then the tunnel should work just fine in this scenario. If you have configured the remote subnet in the crypto acl as anything other than /32 we might have an issue.

When the packet arrives at the ASA for destination as 10.1.1.32/32, the route lookup would point it to the outside interface (assuming the default route points to outside interface), then it hits the crypto map applied to the outside interface and directly gets encapsulated as part of vpn traffic.

Let me know if this helps,

Cheers,

Rudresh V

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to Rudresh Veerappaji

‎10-04-2010 09:01 AM

also just make sure you have specific route on remote vpn gateway for .10/32 and .32/32

0 Helpful

balajirajahpb
Level 1
Level 1
In response to Jitendriya Athavale

‎10-04-2010 09:18 AM

Dear Jathaval/Rudresh,

I would like to specify more clearly. Please refer the attachment.

Regards

Balajirajah

Preview file
42 KB
0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to balajirajahpb

‎10-04-2010 09:29 AM

yes that will not be a problem as i said just take care of routing on the right firewall for both the ip's

0 Helpful

Rudresh Veerappaji
Cisco Employee
Cisco Employee
In response to balajirajahpb

‎10-04-2010 09:39 AM

Hi Balajirajah,

This should work fine, because as soon as a packet from 172.16.0.0/16 to 10.1.1.32/32 comes to the ASA at the inside interface, it would match the crypto access-list entry (which should roughly look like "source: 172.16.0.0/16 and destination: 10.1.1.32/32 & other private ranges" ), gets encapsulated and sent through the tunnel.

If you ping 10.1.1.32/32 from the ASA itself, it will not go through the tunnel, instead it searches for a machine in the outside interface subnet of the ASA.

Let me know if you have any queries...

Cheers,

Rudresh V

0 Helpful
Customers Also Viewed These Support Documents