Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
575
Views
0
Helpful
2
Replies

Order of VPN

Go to solution
dan_track
Level 1
Level 1

‎03-03-2010 03:49 AM

Hi,

I've been wondering how the VPN process works on a Cisco asa. the main part I'm struggling with is after I put a static route in for the destination pointing to the outside interface. How does the ASA then know that it needs to send any traffic to the destination through the VPN rather than into the internet?

Thanks

Dan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-03-2010 04:59 AM 

dan_track wrote:
Hi,
I've been wondering how the VPN process works on a Cisco asa. the main part I'm struggling with is after I put a static route in for the destination pointing to the outside interface. How does the ASA then know that it needs to send any traffic to the destination through the VPN rather than into the internet?
Thanks
Dan

Dan

The ASA knows because of the crypto map access-list you have to define. This access-list defines what is termed "interesting traffic" for the VPN. So the packet comes in and the ASA consults the routing table and see that the destination is reached via the outside interface. It then sees that there is a crypto map applied to the outside interface. So it looks at all the crypto map entries configured and checks the src/dst IPs of the packet against all the access-lists defined in the crypto map. If it finds a match it knows it has to encrypt the traffic and send it down the VPN tunnel.

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-03-2010 04:59 AM 

dan_track wrote:
Hi,
I've been wondering how the VPN process works on a Cisco asa. the main part I'm struggling with is after I put a static route in for the destination pointing to the outside interface. How does the ASA then know that it needs to send any traffic to the destination through the VPN rather than into the internet?
Thanks
Dan

Dan

The ASA knows because of the crypto map access-list you have to define. This access-list defines what is termed "interesting traffic" for the VPN. So the packet comes in and the ASA consults the routing table and see that the destination is reached via the outside interface. It then sees that there is a crypto map applied to the outside interface. So it looks at all the crypto map entries configured and checks the src/dst IPs of the packet against all the access-lists defined in the crypto map. If it finds a match it knows it has to encrypt the traffic and send it down the VPN tunnel.

Jon

0 Helpful

Go to solution
dan_track
Level 1
Level 1
In response to Jon Marshall

‎03-03-2010 05:36 AM

Thanks Jon,

Is there some documentation you can link to learn about this process?

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents