LAn to LAN VPN

The_guroo_2 · ‎08-08-2012

guys suppose we have a VPN to a different site and we would liek to to encrypt the data so normally we make an access list which is used for interesting traffic and used in cyrpto map

so my network is 10.1.1.0/24 and remote site is 10.2.2.0/24.....so my access lost would depends on which sites initiates traffic or shd i use both in access list..............

i am trying to get my head around that if i see a crypto map and see an access list shd i be able to tell which site initiates the connection

Jennifer Halim · ‎08-08-2012

The access-list on the crypto map that you should see should be as follows:

access-list permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

Assuming that you have ASA firewall. If you are using router, then the access-list would use wildcard mask:

access-list permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

The remote end should have the mirror image access-list, so the remote end would say:

access-list permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

ACL does not tell you which site can initiate the connection. Typically both sides can initiate the connection, unless if one end has dynamic public ip address as the VPN termination point on the outside interface, then only the dynamic end can initiate the tunnel.

If it's static crypto map, instead of dynamic crypto map, then typically both sides can initiate the tunnel. Crypto ACL needs to mirror image on both sides.

The_guroo_2 · ‎08-08-2012

Hi Jennifer

As always an excelent reply from yourself........now both sites have static public ip addresses

I have seen that in many crupto map acl in our ASA both sites config are configured for example

access-list ABC permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

access-list ABCpermit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

thats why i really get confuse

secondly i have checked my asa and it has a follwoing command

crypto dynamic-map outside_dyn_map 999 set transform-set ESP-3DES-SHA ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 999 set security-association lifetime seconds 86400

what doe sthis mean....plz explain between dynamic and static crypto map

Thanks again

Jennifer Halim · ‎08-08-2012

The crypto ACL does not seem correct. Looks like someone has configured it both ways which is incorrect. It should only be in one direction, ie: source: local LAN, and destination: remote LAN.

From your example, if 10.1.1.0/24 is the local LAN, and 10.2.2.0/24 is the remote LAN:

On the local ASA:

access-list ABC permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

On the remote ASA:

access-list ABCpermit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

Dynamic crypto map is used for VPN Client connection, and/or VPN that has dynamic IP Address. Because the IP address changes for the VPN peer that has dynamic IP, and for VPN Client, we never know what ip address the VPN Client will be connecting from, dynamic crypto map is used.

Static crypto map is used when the remote end has static VPN Peer ip address.

Hope that is clear.

The_guroo_2 · ‎08-08-2012

Hi thanks for the reply so it means that it does matter which sites initiate the connection even if I have a mail server which is 10.1,1,1 and client 10.2.2.0 is accessing it ......still in that case it shd be the same AcL as my local LAN and destination shd be 10.2.x network .......it will work ??? Suppose if the mail server starts initiating still it will work ?? Thanks again

Sent from Cisco Technical Support iPhone App

Jennifer Halim · ‎08-09-2012

Yes, it doesn't matter which site initiate the connection in your case, both side can initiate the connection.

10.1.1.1 and 10.2.2.x can both initiate the connection and it will bring up the vpn tunnel.

The access-list should only be configured in one direction, ie: source: local LAN, destination: remote LAN.