07-17-2024 09:16 AM
In the context of a site-to-site ipsec vpn, how does a router know that the traffic it sends to another router must pass through a tunnel? Does the router have a specific routing table for tunnels?
Solved! Go to Solution.
07-17-2024 09:52 PM
From ASDM navigate to Configuration > Site to Site VPN > Advanced > Crypto Maps
Then configure traffic selection
This defines the interesting traffic to encrypt
This willl automatically create an ACL and reference with the crypto map. Example:-
access-list outside_cryptomap_1 extended permit ip object VLAN3 192.168.10.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip object VLAN4 192.168.10.0 255.255.255.0
!
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer <peer ip>
crypto map outside_map 1 set ikev1 transform-set TSET
crypto map outside_map interface outside
07-17-2024 09:23 AM
@Saldebob if it's policy based VPN you create an ACL that defines the interesting traffic to be encrypted. When traffic is routed to the router and matches the ACL (src/dst) the traffic is encrypted and routed over the tunnel.
If it is a route based VPN you rely on the routing (static or dynamic) to route the traffic to be encrypted over the VPN tunnel.
07-17-2024 03:13 PM
Thanks
Where can I find ACL for tunnel on GUI on Cisco asa?
07-17-2024 09:52 PM
From ASDM navigate to Configuration > Site to Site VPN > Advanced > Crypto Maps
Then configure traffic selection
This defines the interesting traffic to encrypt
This willl automatically create an ACL and reference with the crypto map. Example:-
access-list outside_cryptomap_1 extended permit ip object VLAN3 192.168.10.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip object VLAN4 192.168.10.0 255.255.255.0
!
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer <peer ip>
crypto map outside_map 1 set ikev1 transform-set TSET
crypto map outside_map interface outside
07-18-2024 12:25 AM
Hello,
Thank you very much. So the Cisco asa check first the crypto Map before the routing table ?
07-18-2024 12:35 AM
@Saldebob routing plays a part. Traffic must be routed to the ASA inside interface and then outbound to the destination out of the interface where the crypto map is enabled (outside). As the traffic passes through the ASA, it will check the crypto ACL to determine if there is a match, if there is traffic will be routed via the appropriate VPN tunnel, if there is no match (against the crypto ACL) traffic will be routed outbound of the outside interface in cleartext (not through a tunnel).
07-17-2024 09:24 AM
This job of ACL you config and add under crypto map
It make router know that this traffic must secure send via tunnel
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide