Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4109
Views
0
Helpful
6
Replies

ASA site to site VPN bypass access list

Douglas Bradfield
Level 1
Level 1

‎08-27-2013 11:54 AM - edited ‎03-11-2019 07:31 PM

Hi,

I am looking through some firewall configs and I see the Local Network and Remote Network site to site vpn's are /32 addresses. Also the Enable inbound VPN sessions to bypass interface access lists, is checked. This is our backup solution if our MPLS circuit goes down. So what I am asking is with this configuration will all traffic routed to the firewall go through VPN? version 8.2

Thanks

Doug

Labels:
0 Helpful
6 Replies 6

Marius Gunnerud
VIP
VIP

‎08-27-2013 12:25 PM

This would also depend on the configuration at the remote site.

1. So the remote vpn peer ip address needs to be reachable by the firewall.

2. The crypto ACL at the remote site needs to be the mirror image of that at the local site.

3. encryption, DH group, preshared key, hash, transform set need to match at both ends

4. NAT exempt at both ends needs to be configured so that the traffic to be encrypted does not get NATed.

If that doesn't answer your question, we would need to see the configuration of both the local and remote vpn sites to get a clearer picture.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Douglas Bradfield
Level 1
Level 1
In response to Marius Gunnerud

‎08-27-2013 12:44 PM

Marius,

It all works fine. I'm just wondering why. I have always made VPN's with a subnet for the local and remote networks and a cooresponding ACL. I've never seen this setup before.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Douglas Bradfield

‎08-27-2013 12:58 PM

Well my first though would be that this will only encrypt traffic from a specific host...I would need to see the configuration to get a better understanding.  But the ACLs which define interesting traffic (Local network and Remote network in your case) is what identifies what traffic that will be encrypted and sent over the VPN.  So if a /32 address is specified in the ACL for the local network, remote network, or both then only that host (or group of hosts if there are more defined) would be encrypted and sent over the VPN.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Douglas Bradfield
Level 1
Level 1
In response to Marius Gunnerud

‎08-27-2013 01:05 PM

Marius,
You and I are thinking the same way. I can't see how it would. Anyway I'll consult with the old timers here and see it in action.

Thanks

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Douglas Bradfield

‎08-27-2013 01:07 PM

yes, I would agree in setting up a maintenance window and then run a failover test to see if the traffic will actually pass.  As mentioned my thought would be that only the permitted IPs in the ACL will pass.

Let us know how it goes.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Karsten Iwen
VIP
VIP

‎08-27-2013 01:19 PM

You are only looking at the Remote/Local networks in ASDM, are you? Based on the ASDM-version you won't see all entries of the full crypto ACL. So start on CLI with "sh run crypto map" to see which ACL is used and then look at that ACL to see if there are more lines that are not visible in ASDM.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card