Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
772
Views
0
Helpful
1
Replies

Send select traffic across L2L VPN

rdsalmans
Level 1
Level 1

‎12-31-2010 05:12 PM

     I'm wanting to send only certain traffic across L2L VPN, not everything. The setup is from my home (ASA5505) to the main office (ASA5510). For example, I'd like to send all SSH traffic from my LAN across the VPN. I've tried setting this up with ACL's defining interesting traffic but seem to have no luck with this. I'm suspecting you can only send all or nothing across the VPN between subnets. For example:

LAN 1: 192.168.1.0/24

     access-list VPN1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

     access-list VPN1 extended permit tcp 192.168.1.0 255.255.255.0 any eq 22

     No-NAT is setup between 192.168.1.0 and 192.168.2.0

LAN2: 192.168.2.0/24

     access-list VPN2 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

     access-list VPN2 extended permit tcp any 192.168.1.0 255.255.255.0 eq 22

      No-NAT is setup between 192.168.2.0 and 192.168.1.0

     This is what I have defined as interesting traffic for the VPN. I can communicate between LAN's with no problem, but SSH traffic is not being routed across the VPN. So when I SSH to 68.42.x.x, the SSH traffic is going out LAN1's default gateway and not across the VPN. I've ran a packet-trace to confirm this. Is it even possible to be selective as to what is routed across a VPN at the protocol level?

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎12-31-2010 07:37 PM

If you would like to SSH from your home network towards your HQ ASA, then you can SSH to the ASA inside interface ip address as it is already defined as part of the interesting traffic for VPN.

On the HQ ASA, you would need to configure the following:

management-access inside

ssh 255.255.255.0 inside

In regards to your question on crypto ACL, typically you would only configure "IP" between the 2 subnets to define interesting traffic. If you would like to restrict only to allow SSH traffic from home network towards office network, then you would use ACL applied to the inside interface to restrict the access.

However, if I understand your requirement correctly, you would like to SSH to the HQ ASA from your home network via the VPN tunnel, then the above commands will allow SSH to the HQ ASA inside interface ip address.

Hope that helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents