1. Home
  2. Cisco Systems
  3. Site to Site VPN - I am lost

Site to Site VPN - I am lost

Hi guys,

I am totally confused with the Site to Site VPN configuration. Assume there are two different companies X and Y. There is a FTP server (server B) in network 10.20.20.0/16 which belongs to company Y. There is also a FTP client (server A) in network 10.20.60.0/16 (note that this network belongs to company X), which is supposed to access the FTP server. I need to configure a Site-to-Site VPN between these two networks.

I have the following:

- 2x Cisco ASA 5520 (one at each location)

- 2 public IP addresses (1x DMZ IP address of company X and 1 of company Y)

- 2 private IP addresses 10.20.20.144/16 (company X) and 10.20.60.21/16 (company Y)

I understand that at each location ASA public interface will get the assigned DMZ IP and the private interface the private IP address. Destination of the tunnel on ASA X will be IP address of the FTP server (at company Y) and destination of the tunnel of ASA Y will be the FTP client (at company X).

What am I missing here? Is the last sentence correct? How come these two machines can talk to one another since if you forget about the VPN tunnel they reside in the same 10.20.0.0/16 subnets?

Thanks, AL

Reply to
ALeu
Loading thread data ...

The VPN should point to the private IP block behind the ASA. (You also need a route saying to get there go via this public IP).

The two sites shouldn't be in the same IP subnets, they can't be. The private address ranges should be something like:

site a) 10.20.0.0 /16 site b) 10.60.0.0 /16

and just use one of those addresses for the local FTP server.

Flamer.

Reply to
die.spam

also I am not sure what config example your looking at, but a suggestion for you, ditch it, start from scratch using this one:

formatting link

Reply to
die.spam

A first question: if it is only to connect the two FTP servers just for FTP, why deal with a tunnel? In this case I would use port access translation together with some access-lists and sFTP as the protocol used.

Korrekt.

The destination IP addresses should be the DMZ addresses.

Here it depends on how you set up the tunnel. I would prefer different subnets at each location.

Regards, Christoph Gartmann

Reply to
Christoph Gartmann

Well, yes. In order to build the tunnel both ends need to see each other. What I do not fully understand is, how should be the two servers (the FTP cvient and FTP server) configured (routing wise) in order to be able to talk to one another.

Can you configure the VPN tunnel between two identical subnets (at different locations)? Is this possible, if so what does the address translation so that the ip addresses do not overlap and conflict?

Thanks, AL

Reply to
ALeu

I don't think you can do this without NAT in the ASA.

Reply to
David Kerber

Can you elaborate on this? I understand that in order to build the tunnel each ASA (public interface) needs to be accessible from the Internet (most common it will be assigned a DMZ IP address). Therefore, ASA at site A will use DMZ IP of ASA at site B to terminate the tunnel. How are the internal hosts configured then? Is the internal interface of the ASA @ site A their gateway to subnet at site B? What if you have the following scenario (two VPN tunnels: between You and company X and the other one between you and company Y):

Site X You Site Y

If you have a server say S1, how do you instruct it to send the data to Site X and another set of data to Site Y? Are you using the internal IP address of the receiving server at Site X, when sending to it, and define route via internal interface of your ASA? Similarly, when trying to send data to server @ site Y, you will use the internal IP address of the receiving server at site Y and send it to internal IP address of your ASA terminating bot tunnels?

If so, how does ASA know that first data is destined for Site X and the second set of data is destined for site Y?

Well, this is the piece that is confusing me a lot. You say that there have two be two different subnets where the internal clients reside. However, it is quite common that two different companies will use the same subnets for their hosts. How can this be addressed if one needs to deploy a VPN between them?

Thanks, AL

Reply to
ALeu

It is not a matter of the FTP servers, it is more a matter of the routing at the ASAs. Assume you use different IP address ranges at location X and Y, e.g. X has 10.1.60.x and Y has 10.1.70.y, then you tell ASA on location X to route 10.1.70.y via the tunnel. The same for ASA on location Y the other way round.

I think I was wrong here. The ASA has somehow to decide which packets should go through the tunnel and which packets are local.

Regards, Christoph Gartmann

Reply to
Christoph Gartmann

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.