06-13-2011 03:10 AM
Hi,
I have a query about traffic traversing a site-to-site vpn tunnel
My client want to route all "ip" traffic from a network a.b.c.d /24 to e.f.g.h /24 over the vpn except "smtp" traffic
They want "smtp" traffic from a.b.c.d /24 to e.f.g.h /24 to by-pass the vpn and escape to internet directly
Both the address ranges (a.b.c.d /24 and e.f.g.h /24) are globally routable(as they are public addresses)
The vpn device on my side is a Cisco ASA5520 running software version 7.0
Would a "vpn-filter" be the solution I am looking at?
Any suggestions on this issue would be helpful. Thanks
Regards,
Nilesh
06-13-2011 03:34 AM
Hi Nilesh,
Hope this will help.
access-list 103 extended deny tcp any x.x.x.x x.x.x.x log
access-list 103 extended permit ip any any
group-policy filter internal
group-policy filter attributes
vpn-filter value 103
access-group 103 in interface outside
tunnel-group (Remote Peer IP) x.x.x.x general-attributes
default-group-policy filter
06-13-2011 06:58 AM
Hi Kiran,
Thank you for your reply.
The acces-list 103 will block all "tcp" traffic. I will modify it though.
My concern is about the denied traffic. Does the traffic that is denied under a vpn-filter, escape to the internet by-passing the vpn?
Regards,
Nilesh
06-29-2011 02:56 PM
Hi Nilesh,
To your question, the answer is no. Traffic denied by the VPN filter will be dropped and not sent to the internet.
Regards,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide