06-13-2012 11:53 AM
On an ASA, version 8.2(x), for a given VPN tunnel setup with a peer of a.b.c.d, and the interesting traffic defined as source s.t.u.v and destination w.x.y.z (and the w.x.y.z address(es) does NOT include the peer address), if host s.t.u.v, tries to access the peer IP, will the traffic go across the tunnel or no?
My guess is that it will not becuase the peer ip address has not been explicitly defined as 'interesting' traffic to go across the tunnel. Is this correct?
06-13-2012 11:51 PM
Yes, you are correct. It will not go across the tunnel because s.t.u.v is not part of the crypto ACL/interesting traffic.
06-14-2012 03:45 AM
Did you mean to say that I am correct because the peer address (a.b,c,d) is not part of the interesting traffic? That is, traffic from s.t.u.v to a.b.c.d will not go across the tunnel becuase even though the source (s.t.u.v) is a 'potential' source for interesting traffic, the peer address (a.b.c.d) is not a 'potential' destination for interesting traffic.
Below is the example setup:
access-list VPN-ACL extended permit ip s.t.u.v w.x.y.z
crypto map map-outside 10 match address VPN-ACL
crypto map map-outside 10 set peer a.b.c.d
crypto map map-outside 10 set transform-set EXP-3DES-SHA
tunnel-group a.b.c.d type ipsec-l2l
tunnel-group a.b.c.d ipsec-attributes
pre-shared-key ****************
Thanks.
06-14-2012 11:52 AM
Yes, because a.b.c.d is not the destination of your crypto ACL (VPN-ACL), the traffic will not be encrypted and going through the VPN tunnel. It will go in clear text towards the destination a.b.c.d.
BTW, you won't be able to encrypt the VPN peer IP towards the remote VPN peer IP because they are used to build the VPN tunnel anyway eventhough you define it in the crypto ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide