Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
594
Views
0
Helpful
2
Replies

IPsec remote gateway is in Interesting Traffic

edward.reiss@one.verizon.com
Level 1
Level 1

‎05-07-2020 01:33 PM

I have a technical question about IPsec and interesting traffic.

 

Lets say we have a network like this:

 

Local

Interesting traffic=10.10.10.10/32

Local IPsec gateway=10.10.11.0/29

 

Remote

Interesting traffic=172.16.0.0/16

Remote IPsec Gateway=172.16.10.1

 

As you can see, the remote gateway is interesting traffic. Wouldn't the ASA try and encrypt the communications to the remote gateway before the tunnel is even established, breaking the tunnel?

 

I have a request from a customer to do this, and I have to write a script, and if the script doesn't work, I have to submit a new change which takes a lot of time and aggravates the customer. Will this even work?

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎05-07-2020 04:15 PM

The tunnel will establish using Public IP address, not with Internal RFC1918 address space.

 

can you post the configuration and simple diagram how you connected each other.

some Log which you mentioned as tier down ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Rob Ingram
VIP
VIP

‎05-08-2020 05:22 AM

Hi,
Regardless of the IP address assigned to the interface (I assume you are on a private WAN) - Yes, you can have the external IP address of the ASA as part of the interesting traffic, the tunnel will therefore accept traffic sourced from the ASA, e.g NATTED.

 

HTH

 

0 Helpful
Customers Also Viewed These Support Documents