03-03-2010 03:49 AM
Hi,
I've been wondering how the VPN process works on a Cisco asa. the main part I'm struggling with is after I put a static route in for the destination pointing to the outside interface. How does the ASA then know that it needs to send any traffic to the destination through the VPN rather than into the internet?
Thanks
Dan
Solved! Go to Solution.
03-03-2010 04:59 AM
dan_track wrote:
Hi,
I've been wondering how the VPN process works on a Cisco asa. the main part I'm struggling with is after I put a static route in for the destination pointing to the outside interface. How does the ASA then know that it needs to send any traffic to the destination through the VPN rather than into the internet?
Thanks
Dan
Dan
The ASA knows because of the crypto map access-list you have to define. This access-list defines what is termed "interesting traffic" for the VPN. So the packet comes in and the ASA consults the routing table and see that the destination is reached via the outside interface. It then sees that there is a crypto map applied to the outside interface. So it looks at all the crypto map entries configured and checks the src/dst IPs of the packet against all the access-lists defined in the crypto map. If it finds a match it knows it has to encrypt the traffic and send it down the VPN tunnel.
Jon
03-03-2010 04:59 AM
dan_track wrote:
Hi,
I've been wondering how the VPN process works on a Cisco asa. the main part I'm struggling with is after I put a static route in for the destination pointing to the outside interface. How does the ASA then know that it needs to send any traffic to the destination through the VPN rather than into the internet?
Thanks
Dan
Dan
The ASA knows because of the crypto map access-list you have to define. This access-list defines what is termed "interesting traffic" for the VPN. So the packet comes in and the ASA consults the routing table and see that the destination is reached via the outside interface. It then sees that there is a crypto map applied to the outside interface. So it looks at all the crypto map entries configured and checks the src/dst IPs of the packet against all the access-lists defined in the crypto map. If it finds a match it knows it has to encrypt the traffic and send it down the VPN tunnel.
Jon
03-03-2010 05:36 AM
Thanks Jon,
Is there some documentation you can link to learn about this process?
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: