Site to Site VPN - I am lost

Discussion in 'Cisco' started by ALeu, Apr 8, 2009.

  1. ALeu

    ALeu Guest

    Hi guys,

    I am totally confused with the Site to Site VPN configuration. Assume
    there are two different companies X and Y. There is a FTP server (server
    B) in network 10.20.20.0/16 which belongs to company Y. There is also a
    FTP client (server A) in network 10.20.60.0/16 (note that this network
    belongs to company X), which is supposed to access the FTP server. I
    need to configure a Site-to-Site VPN between these two networks.

    I have the following:
    - 2x Cisco ASA 5520 (one at each location)
    - 2 public IP addresses (1x DMZ IP address of company X and 1 of company Y)
    - 2 private IP addresses 10.20.20.144/16 (company X) and 10.20.60.21/16
    (company Y)

    I understand that at each location ASA public interface will get the
    assigned DMZ IP and the private interface the private IP address.
    Destination of the tunnel on ASA X will be IP address of the FTP server
    (at company Y) and destination of the tunnel of ASA Y will be the FTP
    client (at company X).

    What am I missing here? Is the last sentence correct? How come these two
    machines can talk to one another since if you forget about the VPN
    tunnel they reside in the same 10.20.0.0/16 subnets?

    Thanks,
    AL
    ALeu, Apr 8, 2009
    #1
    1. Advertising

  2. ALeu

    flamer Guest

    On Apr 9, 10:20 am, ALeu <> wrote:
    > Hi guys,
    >
    > I am totally confused with the Site to Site VPN configuration. Assume
    > there are two different companies X and Y. There is a FTP server (server
    > B) in network 10.20.20.0/16 which belongs to company Y. There is also a
    > FTP client (server A) in network 10.20.60.0/16 (note that this network
    > belongs to company X), which is supposed to access the FTP server. I
    > need to configure a Site-to-Site VPN between these two networks.
    >
    > I have the following:
    > - 2x Cisco ASA 5520 (one at each location)
    > - 2 public IP addresses (1x DMZ IP address of company X and 1 of company Y)
    > - 2 private IP addresses 10.20.20.144/16 (company X) and 10.20.60.21/16
    > (company Y)
    >
    > I understand that at each location ASA public interface will get the
    > assigned DMZ IP and the private interface the private IP address.
    > Destination of the tunnel on ASA X will be IP address of the FTP server
    > (at company Y) and destination of the tunnel of ASA Y will be the FTP
    > client (at company X).
    >
    > What am I missing here? Is the last sentence correct? How come these two
    > machines can talk to one another since if you forget about the VPN
    > tunnel they reside in the same 10.20.0.0/16 subnets?
    >
    > Thanks,
    > AL


    The VPN should point to the private IP block behind the ASA. (You also
    need a route saying to get there go via this public IP).

    The two sites shouldn't be in the same IP subnets, they can't be. The
    private address ranges should be something like:

    site a) 10.20.0.0 /16
    site b) 10.60.0.0 /16

    and just use one of those addresses for the local FTP server.

    Flamer.
    flamer , Apr 9, 2009
    #2
    1. Advertising

  3. ALeu

    flamer Guest

    flamer , Apr 9, 2009
    #3
  4. In article <grj81r$c3o$>, ALeu <> writes:

    >I am totally confused with the Site to Site VPN configuration. Assume
    >there are two different companies X and Y. There is a FTP server (server
    >B) in network 10.20.20.0/16 which belongs to company Y. There is also a
    >FTP client (server A) in network 10.20.60.0/16 (note that this network
    >belongs to company X), which is supposed to access the FTP server. I
    >need to configure a Site-to-Site VPN between these two networks.


    A first question: if it is only to connect the two FTP servers just
    for FTP, why deal with a tunnel? In this case I would use port access
    translation together with some access-lists and sFTP as the protocol used.

    >I have the following:
    >- 2x Cisco ASA 5520 (one at each location)
    >- 2 public IP addresses (1x DMZ IP address of company X and 1 of company Y)
    >- 2 private IP addresses 10.20.20.144/16 (company X) and 10.20.60.21/16
    >(company Y)


    >I understand that at each location ASA public interface will get the
    >assigned DMZ IP and the private interface the private IP address.


    Korrekt.

    >Destination of the tunnel on ASA X will be IP address of the FTP server
    >(at company Y) and destination of the tunnel of ASA Y will be the FTP
    >client (at company X).


    The destination IP addresses should be the DMZ addresses.

    >What am I missing here? Is the last sentence correct? How come these two
    >machines can talk to one another since if you forget about the VPN
    >tunnel they reside in the same 10.20.0.0/16 subnets?


    Here it depends on how you set up the tunnel. I would prefer different subnets
    at each location.

    Regards,
    Christoph Gartmann

    --
    Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -80464
    Immunbiologie
    Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    D-79011 Freiburg, Germany
    http://www.immunbio.mpg.de/home/menue.html
    Christoph Gartmann, Apr 9, 2009
    #4
  5. ALeu

    ALeu Guest

    Christoph Gartmann wrote:
    >> Destination of the tunnel on ASA X will be IP address of the FTP server
    >> (at company Y) and destination of the tunnel of ASA Y will be the FTP
    >> client (at company X).

    >
    > The destination IP addresses should be the DMZ addresses.


    Well, yes. In order to build the tunnel both ends need to see each
    other. What I do not fully understand is, how should be the two servers
    (the FTP cvient and FTP server) configured (routing wise) in order to be
    able to talk to one another.

    >> What am I missing here? Is the last sentence correct? How come these two
    >> machines can talk to one another since if you forget about the VPN
    >> tunnel they reside in the same 10.20.0.0/16 subnets?

    >
    > Here it depends on how you set up the tunnel. I would prefer different subnets
    > at each location.


    Can you configure the VPN tunnel between two identical subnets (at
    different locations)? Is this possible, if so what does the address
    translation so that the ip addresses do not overlap and conflict?

    Thanks,
    AL
    ALeu, Apr 9, 2009
    #5
  6. ALeu

    ALeu Guest

    flamer wrote:
    > The VPN should point to the private IP block behind the ASA. (You also
    > need a route saying to get there go via this public IP).


    Can you elaborate on this? I understand that in order to build the
    tunnel each ASA (public interface) needs to be accessible from the
    Internet (most common it will be assigned a DMZ IP address). Therefore,
    ASA at site A will use DMZ IP of ASA at site B to terminate the tunnel.
    How are the internal hosts configured then? Is the internal interface of
    the ASA @ site A their gateway to subnet at site B? What if you have
    the following scenario (two VPN tunnels: between You and company X and
    the other one between you and company Y):

    Site X <---> You <---> Site Y

    If you have a server say S1, how do you instruct it to send the data to
    Site X and another set of data to Site Y? Are you using the internal IP
    address of the receiving server at Site X, when sending to it, and
    define route via internal interface of your ASA? Similarly, when trying
    to send data to server @ site Y, you will use the internal IP address of
    the receiving server at site Y and send it to internal IP address of
    your ASA terminating bot tunnels?

    If so, how does ASA know that first data is destined for Site X and the
    second set of data is destined for site Y?

    > The two sites shouldn't be in the same IP subnets, they can't be. The
    > private address ranges should be something like:
    >
    > site a) 10.20.0.0 /16
    > site b) 10.60.0.0 /16
    >
    > and just use one of those addresses for the local FTP server.


    Well, this is the piece that is confusing me a lot. You say that there
    have two be two different subnets where the internal clients reside.
    However, it is quite common that two different companies will use the
    same subnets for their hosts. How can this be addressed if one needs to
    deploy a VPN between them?

    Thanks,
    AL
    ALeu, Apr 9, 2009
    #6
  7. In article <grl23r$7hr$>, ALeu <> writes:
    >Christoph Gartmann wrote:
    >>> Destination of the tunnel on ASA X will be IP address of the FTP server
    >>> (at company Y) and destination of the tunnel of ASA Y will be the FTP
    >>> client (at company X).

    >>
    >> The destination IP addresses should be the DMZ addresses.

    >
    >Well, yes. In order to build the tunnel both ends need to see each
    >other. What I do not fully understand is, how should be the two servers
    >(the FTP cvient and FTP server) configured (routing wise) in order to be
    >able to talk to one another.


    It is not a matter of the FTP servers, it is more a matter of the routing at
    the ASAs. Assume you use different IP address ranges at location X and Y, e.g.
    X has 10.1.60.x and Y has 10.1.70.y, then you tell ASA on location X to
    route 10.1.70.y via the tunnel. The same for ASA on location Y the other way
    round.

    >Can you configure the VPN tunnel between two identical subnets (at
    >different locations)? Is this possible, if so what does the address
    >translation so that the ip addresses do not overlap and conflict?


    I think I was wrong here. The ASA has somehow to decide which packets should go
    through the tunnel and which packets are local.

    Regards,
    Christoph Gartmann

    --
    Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -80464
    Immunbiologie
    Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    D-79011 Freiburg, Germany
    http://www.immunbio.mpg.de/home/menue.html
    Christoph Gartmann, Apr 9, 2009
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tical
    Replies:
    3
    Views:
    3,909
    tical
    May 27, 2004
  2. Rick Stromberg
    Replies:
    7
    Views:
    9,884
    luisjimher
    Jun 3, 2011
  3. Nathan Simpson

    Incoming VPN and site to site VPN problems

    Nathan Simpson, Aug 14, 2004, in forum: Cisco
    Replies:
    1
    Views:
    491
  4. pasatealinux
    Replies:
    1
    Views:
    2,032
    pasatealinux
    Dec 17, 2007
  5. TimParker
    Replies:
    3
    Views:
    2,051
    TimParker
    Mar 14, 2009
Loading...

Share This Page