I am looking through some firewall configs and I see the Local Network and Remote Network site to site vpn's are /32 addresses. Also the Enable inbound VPN sessions to bypass interface access lists, is checked. This is our backup solution if our MPLS circuit goes down. So what I am asking is with this configuration will all traffic routed to the firewall go through VPN? version 8.2
This would also depend on the configuration at the remote site.
1. So the remote vpn peer ip address needs to be reachable by the firewall.
2. The crypto ACL at the remote site needs to be the mirror image of that at the local site.
3. encryption, DH group, preshared key, hash, transform set need to match at both ends
4. NAT exempt at both ends needs to be configured so that the traffic to be encrypted does not get NATed.
If that doesn't answer your question, we would need to see the configuration of both the local and remote vpn sites to get a clearer picture.
Well my first though would be that this will only encrypt traffic from a specific host...I would need to see the configuration to get a better understanding. But the ACLs which define interesting traffic (Local network and Remote network in your case) is what identifies what traffic that will be encrypted and sent over the VPN. So if a /32 address is specified in the ACL for the local network, remote network, or both then only that host (or group of hosts if there are more defined) would be encrypted and sent over the VPN.
yes, I would agree in setting up a maintenance window and then run a failover test to see if the traffic will actually pass. As mentioned my thought would be that only the permitted IPs in the ACL will pass.
Let us know how it goes.
You are only looking at the Remote/Local networks in ASDM, are you? Based on the ASDM-version you won't see all entries of the full crypto ACL. So start on CLI with "sh run crypto map" to see which ACL is used and then look at that ACL to see if there are more lines that are not visible in ASDM.
Don't stop after you've improved your network! Improve the world by lending money to the working poor: