cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4028
Views
0
Helpful
6
Replies

ASA site to site VPN bypass access list

Hi,

I am looking through some firewall configs and I see the Local Network and Remote Network site to site vpn's are /32 addresses. Also the Enable inbound VPN sessions to bypass interface access lists, is checked. This is our backup solution if our MPLS circuit goes down. So what I am asking is with this configuration will all traffic routed to the firewall go through VPN? version 8.2

Thanks

Doug

6 Replies 6

This would also depend on the configuration at the remote site.

1. So the remote vpn peer ip address needs to be reachable by the firewall.

2. The crypto ACL at the remote site needs to be the mirror image of that at the local site.

3. encryption, DH group, preshared key, hash, transform set need to match at both ends

4. NAT exempt at both ends needs to be configured so that the traffic to be encrypted does not get NATed.

If that doesn't answer your question, we would need to see the configuration of both the local and remote vpn sites to get a clearer picture.

--
Please remember to select a correct answer and rate helpful posts

Marius,

It all works fine. I'm just wondering why. I have always made VPN's with a subnet for the local and remote networks and a cooresponding ACL. I've never seen this setup before.

Well my first though would be that this will only encrypt traffic from a specific host...I would need to see the configuration to get a better understanding.  But the ACLs which define interesting traffic (Local network and Remote network in your case) is what identifies what traffic that will be encrypted and sent over the VPN.  So if a /32 address is specified in the ACL for the local network, remote network, or both then only that host (or group of hosts if there are more defined) would be encrypted and sent over the VPN.

--
Please remember to select a correct answer and rate helpful posts

Marius,
You and I are thinking the same way. I can't see how it would. Anyway I'll consult with the old timers here and see it in action.

Thanks

yes, I would agree in setting up a maintenance window and then run a failover test to see if the traffic will actually pass.  As mentioned my thought would be that only the permitted IPs in the ACL will pass.

Let us know how it goes.

--
Please remember to select a correct answer and rate helpful posts

You are only looking at the Remote/Local networks in ASDM, are you? Based on the ASDM-version you won't see all entries of the full crypto ACL. So start on CLI with "sh run crypto map" to see which ACL is used and then look at that ACL to see if there are more lines that are not visible in ASDM.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: