Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3877
Views
10
Helpful
3
Replies

Add a IP to Encryption domain/interesting traffic

Go to solution
Arif
Level 1
Level 1

‎01-18-2019 10:43 PM

Hi, I am instructed that add a specific IP to Encryption domain/interesting traffic. But I don't know how ?

How can I add specific IP to that. Thanks...

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎01-19-2019 05:10 AM

Hi,

If this VPN is already running then you will must find a Crypto-map and one ACL is also applied in the Crypto-map with configuration command "Match address,,,,,,,". (,,, ACL number or name).

 

See here a example:

 

ip access-list extended VPN-TRAFFIC  <ACL>
10 permit ip <Local LAN Subnet> any

11 permit ip <source IP/Subnet>  <Destinatio  IP/Subnet>  <Add this new entry>

!
!
crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp  <Crypto MAP>
match address VPN-TRAFFIC  <ACL applied in Crypto-MAP>
set peer <WAN IP of remote end>
set transform-set MY-SET

 

Note: ACL name/Number or Crypto map may be different in your configuration. 

 

If you are not sure then please share running configuration. You may also denied the Same subnet source and destination subnet in your  NAT acl.

 

Regards,

Deepak Kumar

 

 

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

3 Replies 3

Go to solution
Karsten Iwen
VIP
VIP

‎01-19-2019 03:25 AM

Look at the corresponding "crypto map" configuration there you find a referenced ACL "match address ..." that specifies which traffic should be protected with this VPN. Just add another line with the new traffic needs.

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎01-19-2019 05:10 AM

Hi,

If this VPN is already running then you will must find a Crypto-map and one ACL is also applied in the Crypto-map with configuration command "Match address,,,,,,,". (,,, ACL number or name).

 

See here a example:

 

ip access-list extended VPN-TRAFFIC  <ACL>
10 permit ip <Local LAN Subnet> any

11 permit ip <source IP/Subnet>  <Destinatio  IP/Subnet>  <Add this new entry>

!
!
crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp  <Crypto MAP>
match address VPN-TRAFFIC  <ACL applied in Crypto-MAP>
set peer <WAN IP of remote end>
set transform-set MY-SET

 

Note: ACL name/Number or Crypto map may be different in your configuration. 

 

If you are not sure then please share running configuration. You may also denied the Same subnet source and destination subnet in your  NAT acl.

 

Regards,

Deepak Kumar

 

 

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Go to solution
Arif
Level 1
Level 1
In response to Deepak Kumar

‎01-23-2019 05:17 AM

Thanks for your detailed informations...

0 Helpful
Customers Also Viewed These Support Documents