Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5928
Views
8
Helpful
4
Replies

Static VTI tunnel to asa

HielkeHagendoorn
Level 1
Level 1

‎10-09-2011 11:31 AM

Hi All,

I need to connect some routers to an ASA using IPSec tunnels. The goal is to get netflow traffic from the routers to a collector behide an ASA using IPSec tunnels.

Recently I found out (locally orginated) netflow isn't properly encrypted when send through an IPSec tunnel (http://www.plixer.com/blog/network-traffic-analysis/sending-netflow-over-ipsec-tunnels/. The workaround seems to be using flexible netflow (which my collector doesn't support) or using a real tunnel interface on the router.

This implies I need to use:

- IPSec/GRE

- EzVPN with DVTI

- SVTI...?

Since GRE is not supported on the ASA and I want the tunnel to be always active, implementing static VTI tunnels might be a good idea. So I would like to use something like this on the router.


interface Tunnel0


 ip unnumberd loopback0


 tunnel source x.x.x.x


 tunnel destination y.y.y.y


 tunnel mode ipsec ipv4


!

My question is, does anybody know if you can build an IPSec tunnel between an ASA and a router, using a SVTI interface on the router? A code sample for the ASA and the router would be more than welcome.

Regards

Labels:
0 Helpful
4 Replies 4

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-09-2011 01:40 PM

Hielke,

Assuming you could... this still does not scale for you, at all.

VTIs are using "any any" as traffic selectors, which works OK in case of router and logical interfaces (tunnel), but it would not work on ASA, since ASA does not support logical interface.

You can only say "any any" once on ASA.

Marcin

HielkeHagendoorn
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-10-2011 01:32 PM

Hi Marcin,

Thanks for you answer.

So are you saying that even if you could somehow match the ipsec settings, the traffic selector would still mesh up things on the ASA ?

Hielke

0 Helpful

Mohammad Alhyari
Cisco Employee
Cisco Employee
In response to HielkeHagendoorn

‎10-10-2011 02:13 PM

Hi Hielke ,

if you managed to match the SAs proposed by the router when using SVTI which is any to any , and you will do this on the ASA using a crypto map access-list as follow :

access-list crypto VPN permit ip any any

then all traffic leaving the interface where the crypto map is applied will be subject to encryption , which is not practical in most cases .you may use different  interface (on the ASA) to this tunnel with the SVTI as it will use any any and that traffic is different than the one leaving the outside interface .

so as Marcin this will not scale for you

HTH

Mohammad.

HielkeHagendoorn
Level 1
Level 1
In response to Mohammad Alhyari

‎10-10-2011 11:53 PM

Oke got it, thanks for your help

Regards

Hielke

0 Helpful
Customers Also Viewed These Support Documents