Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Site to Site VPN - I am lost (http://www.velocityreviews.com/forums/t679106-site-to-site-vpn-i-am-lost.html)

ALeu 04-08-2009 10:20 PM

Site to Site VPN - I am lost
 
Hi guys,

I am totally confused with the Site to Site VPN configuration. Assume
there are two different companies X and Y. There is a FTP server (server
B) in network 10.20.20.0/16 which belongs to company Y. There is also a
FTP client (server A) in network 10.20.60.0/16 (note that this network
belongs to company X), which is supposed to access the FTP server. I
need to configure a Site-to-Site VPN between these two networks.

I have the following:
- 2x Cisco ASA 5520 (one at each location)
- 2 public IP addresses (1x DMZ IP address of company X and 1 of company Y)
- 2 private IP addresses 10.20.20.144/16 (company X) and 10.20.60.21/16
(company Y)

I understand that at each location ASA public interface will get the
assigned DMZ IP and the private interface the private IP address.
Destination of the tunnel on ASA X will be IP address of the FTP server
(at company Y) and destination of the tunnel of ASA Y will be the FTP
client (at company X).

What am I missing here? Is the last sentence correct? How come these two
machines can talk to one another since if you forget about the VPN
tunnel they reside in the same 10.20.0.0/16 subnets?

Thanks,
AL

flamer die.spam@hotmail.com 04-09-2009 04:04 AM

Re: Site to Site VPN - I am lost
 
On Apr 9, 10:20*am, ALeu <a...@op.pl> wrote:
> Hi guys,
>
> I am totally confused with the Site to Site VPN configuration. Assume
> there are two different companies X and Y. There is a FTP server (server
> B) in network 10.20.20.0/16 which belongs to company Y. There is also a
> FTP client (server A) in network 10.20.60.0/16 (note that this network
> belongs to company X), which is supposed to access the FTP server. I
> need to configure a Site-to-Site VPN between these two networks.
>
> I have the following:
> - 2x Cisco ASA 5520 (one at each location)
> - 2 public IP addresses (1x DMZ IP address of company X and 1 of company Y)
> - 2 private IP addresses 10.20.20.144/16 (company X) and 10.20.60.21/16
> (company Y)
>
> I understand that at each location ASA public interface will get the
> assigned DMZ IP and the private interface the private IP address.
> Destination of the tunnel on ASA X will be IP address of the FTP server
> (at company Y) and destination of the tunnel of ASA Y will be the FTP
> client (at company X).
>
> What am I missing here? Is the last sentence correct? How come these two
> machines can talk to one another since if you forget about the VPN
> tunnel they reside in the same 10.20.0.0/16 subnets?
>
> Thanks,
> AL


The VPN should point to the private IP block behind the ASA. (You also
need a route saying to get there go via this public IP).

The two sites shouldn't be in the same IP subnets, they can't be. The
private address ranges should be something like:

site a) 10.20.0.0 /16
site b) 10.60.0.0 /16

and just use one of those addresses for the local FTP server.

Flamer.

flamer die.spam@hotmail.com 04-09-2009 04:06 AM

Re: Site to Site VPN - I am lost
 
also I am not sure what config example your looking at, but a
suggestion for you, ditch it, start from scratch using this one:

http://www.cisco.com/en/US/docs/secu.../sitvpn_b.html

Christoph Gartmann 04-09-2009 09:01 AM

Re: Site to Site VPN - I am lost
 
In article <grj81r$c3o$1@news.onet.pl>, ALeu <aleu@op.pl> writes:

>I am totally confused with the Site to Site VPN configuration. Assume
>there are two different companies X and Y. There is a FTP server (server
>B) in network 10.20.20.0/16 which belongs to company Y. There is also a
>FTP client (server A) in network 10.20.60.0/16 (note that this network
>belongs to company X), which is supposed to access the FTP server. I
>need to configure a Site-to-Site VPN between these two networks.


A first question: if it is only to connect the two FTP servers just
for FTP, why deal with a tunnel? In this case I would use port access
translation together with some access-lists and sFTP as the protocol used.

>I have the following:
>- 2x Cisco ASA 5520 (one at each location)
>- 2 public IP addresses (1x DMZ IP address of company X and 1 of company Y)
>- 2 private IP addresses 10.20.20.144/16 (company X) and 10.20.60.21/16
>(company Y)


>I understand that at each location ASA public interface will get the
>assigned DMZ IP and the private interface the private IP address.


Korrekt.

>Destination of the tunnel on ASA X will be IP address of the FTP server
>(at company Y) and destination of the tunnel of ASA Y will be the FTP
>client (at company X).


The destination IP addresses should be the DMZ addresses.

>What am I missing here? Is the last sentence correct? How come these two
>machines can talk to one another since if you forget about the VPN
>tunnel they reside in the same 10.20.0.0/16 subnets?


Here it depends on how you set up the tunnel. I would prefer different subnets
at each location.

Regards,
Christoph Gartmann

--
Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -80464
Immunbiologie
Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
D-79011 Freiburg, Germany
http://www.immunbio.mpg.de/home/menue.html

ALeu 04-09-2009 02:51 PM

Re: Site to Site VPN - I am lost
 
Christoph Gartmann wrote:
>> Destination of the tunnel on ASA X will be IP address of the FTP server
>> (at company Y) and destination of the tunnel of ASA Y will be the FTP
>> client (at company X).

>
> The destination IP addresses should be the DMZ addresses.


Well, yes. In order to build the tunnel both ends need to see each
other. What I do not fully understand is, how should be the two servers
(the FTP cvient and FTP server) configured (routing wise) in order to be
able to talk to one another.

>> What am I missing here? Is the last sentence correct? How come these two
>> machines can talk to one another since if you forget about the VPN
>> tunnel they reside in the same 10.20.0.0/16 subnets?

>
> Here it depends on how you set up the tunnel. I would prefer different subnets
> at each location.


Can you configure the VPN tunnel between two identical subnets (at
different locations)? Is this possible, if so what does the address
translation so that the ip addresses do not overlap and conflict?

Thanks,
AL

ALeu 04-09-2009 03:03 PM

Re: Site to Site VPN - I am lost
 
flamer die.spam@hotmail.com wrote:
> The VPN should point to the private IP block behind the ASA. (You also
> need a route saying to get there go via this public IP).


Can you elaborate on this? I understand that in order to build the
tunnel each ASA (public interface) needs to be accessible from the
Internet (most common it will be assigned a DMZ IP address). Therefore,
ASA at site A will use DMZ IP of ASA at site B to terminate the tunnel.
How are the internal hosts configured then? Is the internal interface of
the ASA @ site A their gateway to subnet at site B? What if you have
the following scenario (two VPN tunnels: between You and company X and
the other one between you and company Y):

Site X <---> You <---> Site Y

If you have a server say S1, how do you instruct it to send the data to
Site X and another set of data to Site Y? Are you using the internal IP
address of the receiving server at Site X, when sending to it, and
define route via internal interface of your ASA? Similarly, when trying
to send data to server @ site Y, you will use the internal IP address of
the receiving server at site Y and send it to internal IP address of
your ASA terminating bot tunnels?

If so, how does ASA know that first data is destined for Site X and the
second set of data is destined for site Y?

> The two sites shouldn't be in the same IP subnets, they can't be. The
> private address ranges should be something like:
>
> site a) 10.20.0.0 /16
> site b) 10.60.0.0 /16
>
> and just use one of those addresses for the local FTP server.


Well, this is the piece that is confusing me a lot. You say that there
have two be two different subnets where the internal clients reside.
However, it is quite common that two different companies will use the
same subnets for their hosts. How can this be addressed if one needs to
deploy a VPN between them?

Thanks,
AL

Christoph Gartmann 04-09-2009 03:37 PM

Re: Site to Site VPN - I am lost
 
In article <grl23r$7hr$1@news.onet.pl>, ALeu <aleu@op.pl> writes:
>Christoph Gartmann wrote:
>>> Destination of the tunnel on ASA X will be IP address of the FTP server
>>> (at company Y) and destination of the tunnel of ASA Y will be the FTP
>>> client (at company X).

>>
>> The destination IP addresses should be the DMZ addresses.

>
>Well, yes. In order to build the tunnel both ends need to see each
>other. What I do not fully understand is, how should be the two servers
>(the FTP cvient and FTP server) configured (routing wise) in order to be
>able to talk to one another.


It is not a matter of the FTP servers, it is more a matter of the routing at
the ASAs. Assume you use different IP address ranges at location X and Y, e.g.
X has 10.1.60.x and Y has 10.1.70.y, then you tell ASA on location X to
route 10.1.70.y via the tunnel. The same for ASA on location Y the other way
round.

>Can you configure the VPN tunnel between two identical subnets (at
>different locations)? Is this possible, if so what does the address
>translation so that the ip addresses do not overlap and conflict?


I think I was wrong here. The ASA has somehow to decide which packets should go
through the tunnel and which packets are local.

Regards,
Christoph Gartmann

--
Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -80464
Immunbiologie
Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
D-79011 Freiburg, Germany
http://www.immunbio.mpg.de/home/menue.html


All times are GMT. The time now is 02:39 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.