I understand that crypto-map allows you to match the source IPs before routing through the VPN.
Since IPSec static VTI do not provide crypto maps, how do you restrict the type of traffic which can pass through it.
Following is my next question :
Me: 22.214.171.124 - My internal network : 192.168.1.0/24, 192.168.2.0/24
Client: 126.96.36.199 - My client's internal network : 10.0.0.0/8
I want 192.168.1.0/24 to reach 10.0.0.0/8 through the VPN but 192.168.2.0/24 should not be able to access 10.0.0.0/8
How would I do that? A few examples would be good to help me understand this. crypto keyring equinix-XX-keyring local-address 188.8.131.52 pre-shared-key address 184.108.40.206 key keypassword crypto isakmp policy 200 encr aes authentication pre-share group 2 lifetime 28800
crypto isakmp profile equinix-XX-isakmp keyring equinix-XX-keyring match identity address 220.127.116.11 255.255.255.255 local-address 18.104.22.168
crypto ipsec transform-set equinix-XX-transform esp-aes esp-sha-hmac mode tunnel
crypto ipsec profile equinix-XX-ipsec set transform-set equinix-XX-transform set pfs group2 interface Tunnel1 ip address 169.254.249.38 255.255.255.252 ip tcp adjust-mss 1387 tunnel source 22.214.171.124 tunnel mode ipsec ipv4 tunnel destination 126.96.36.199 tunnel protection ipsec profile equinix-XX-ipsec ip virtual-reassembly
Access-lists, FW (ZBF, CBAC) and all other features work on SVTI same way they would work on a physical or other logical interfaces (with very few exceptions).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: