Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
376
Views
0
Helpful
2
Replies

Site-to-site VPN 'exception'

bhnelson
Level 1
Level 1

‎05-31-2016 01:45 PM

I have a site-to-site VPN between our main site and our DR site. This is using ASA 5516's. There is no ISP or otherwise at the DR site so all traffic is routed across the VPN.

My question: Is it possible to split TCP traffic for one specific port/service to one specific IP at the DR site so that it does not go over the VPN? The traffic is already SSL so I'm not worried about security. I'm looking for higher throughput for this traffic than the VPN hardware can provide. For example, for a web server at the DR site, have port 80 go across the VPN but port 443 go outside of the VPN.

I've attempted to add the exception to the crypto map on both ends. I'm using the appropriate IP address and specifying the specific TCP port for service. This appears to work on the main site side, appropriate traffic gets routed out w/o being encrypted. However on the DR site side, traffic gets dropped due to "ipsec-tunnel-flow". (going on packet tracer results here). I suspect this is because the service on the crypto map is only specified on the destination, which on the DR side is being treated as the source port... if that makes sense. Since it is inbound traffic to that site, source port in this case is random.

I do have it working, sort of, by using a port-forwarding NAT IP in the crypto map exception and using 'IP' as the service. While that works, it's less desirable since I now have both a different port AND different IP to connect to one server, depending on whether I want an SSL or non-SSL connection.

Is what I'm trying to do possible? If not directly, any better suggestions than the NAT port-forwarding idea?

Thanks!

Labels:
0 Helpful
2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

‎05-31-2016 09:19 PM

It should work.  Clear the IPSec SA's on both ends after making that change.

0 Helpful

bhnelson
Level 1
Level 1
In response to Philip D'Ath

‎06-06-2016 10:04 AM

Hi Phillip,

So far I'm only looking at packet tracer results. The tunnel is in use so I don't want to bounce it any more than necessary.

I found that if I set the source port in packet tracer to the same service port specified in the crypto map, the traffic passes. If source port is anything else, (which will be the case here, source port will be random) the traffic does not pass with "ipsec-tunnel-flow". I think that answers my original question in that splitting tunnel traffic for one IP based on the particular TCP port doesn't seem to be possible due to the limited filtering available in a crypto map.

Unless I'm still missing something?

0 Helpful
Customers Also Viewed These Support Documents