cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6440
Views
0
Helpful
6
Replies

Site to site Encryption domain IP address

balajirajahpb
Level 1
Level 1

Dear All,

I need to clarify some thing. For example VPN site to site tunnel need to be established.

For example my outside interface of ASA is in 10.1.1.0/24 network will it be possible to use 10.1.1.32/32 in the VPN encyption domain (Interesting traffic) ??

Please clarify. I hope I explained correctly. Attached the diagram for more clear picture

Regards

Balajirajah P B

6 Replies 6

Jitendriya Athavale
Cisco Employee
Cisco Employee

what network do you have behind the left firewall???

i dont see too much problem having vpn for this setup but again have never tried it out, do you see any specfic problem trying to get this working

just to be on safer side what i would do is nat this one host / network when trying to get over vpn so that when the left firewall see's the packet it is from a different source ip

Rudresh Veerappaji
Cisco Employee
Cisco Employee

Hi Balajirajah,

For the tunnel, do you wish to send traffic to only the host 10.1.1.32/32 as the remote network? If yes, then the tunnel should work just fine in this scenario. If you have configured the remote subnet in the crypto acl as anything other than /32 we might have an issue.

When the packet arrives at the ASA for destination as 10.1.1.32/32, the route lookup would point it to the outside interface (assuming the default route points to outside interface), then it hits the crypto map applied to the outside interface and directly gets encapsulated as part of vpn traffic.

Let me know if this helps,

Cheers,

Rudresh V

also just make sure you have specific route on remote vpn gateway for .10/32 and .32/32

Dear Jathaval/Rudresh,

I would like to specify more clearly. Please refer the attachment.

Regards

Balajirajah

yes that will not be a problem as i said just take care of routing on the right firewall for both the ip's

Hi Balajirajah,

This should work fine, because as soon as a packet from 172.16.0.0/16 to 10.1.1.32/32 comes to the ASA at the inside interface, it would match the crypto access-list entry (which should roughly look like "source: 172.16.0.0/16 and destination: 10.1.1.32/32 & other private ranges" ), gets encapsulated and sent through the tunnel.

If you ping 10.1.1.32/32 from the ASA itself, it will not go through the tunnel, instead it searches for a machine in the outside interface subnet of the ASA.

Let me know if you have any queries...

Cheers,

Rudresh V