configuring site to site tunnel on asa 5505

carl_townshend · ‎09-24-2007

Hi all, I have just used the vpn wizard to set up a tunnel between my 2 offices over the internet, my question is when I put in the config the source and destination networks to be protected, will this just encrypt them networks? and so do I need now to create an access list or is that included in the protect networks statement?

cheers

Carl

IGBarrere · ‎09-24-2007

This probably belongs in security, but either way. The networks you enter for remote and local are the only ones encrypted. If the asa receives a packet from the local network described in your configuration to the remote network you specified, it will be sent down the tunnel. If it receives a packet anywhere else, it will route it normally (conditions permitting, of course). These two network statements must match on the remote and local sides (the same networks need to be specified) otherwise phase2 will fail.

Depending on the implementation, you may or may not need to add additional access lists to allow said traffic. If the command "sysopt connection permit-vpn" is enabled (which it is by default), all vpn traffic bypasses any access list. While this isn't very secure, it's easy since you don't need to explicitly allow vpn traffic. If that command is not enabled, and you don't want it enabled, you must write a separate access list permitting the vpn traffic through and apply it to an interface.

carl_townshend · ‎09-25-2007

thanks for that, So, can you tell me what routes I would need to put in, or again, would they be sent down the tunnel without any routes ? do I just point a default route out to my internet router? do i need to point the routes for the remote network to the tunnels peer address ?

cheers

Carl