Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
178
Views
3
Helpful
6
Replies

Vpn routing

Go to solution
Saldebob
Level 1
Level 1

‎07-17-2024 09:16 AM

In the context of a site-to-site ipsec vpn, how does a router know that the traffic it sends to another router must pass through a tunnel? Does the router have a specific routing table for tunnels?

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Saldebob

‎07-17-2024 09:52 PM

@Saldebob 

From ASDM navigate to Configuration > Site to Site VPN > Advanced > Crypto Maps

RobIngram_0-1721277418093.png

Then configure traffic selection

RobIngram_1-1721277482005.png

This defines the interesting traffic to encrypt

RobIngram_2-1721278078731.png

This willl automatically create an ACL and reference with the crypto map. Example:-

access-list outside_cryptomap_1 extended permit ip object VLAN3 192.168.10.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip object VLAN4 192.168.10.0 255.255.255.0
!
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer <peer ip>
crypto map outside_map 1 set ikev1 transform-set TSET
crypto map outside_map interface outside 

 

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎07-17-2024 09:23 AM

@Saldebob if it's policy based VPN you create an ACL that defines the interesting traffic to be encrypted. When traffic is routed to the router and matches the ACL (src/dst) the traffic is encrypted and routed over the tunnel.

If it is a route based VPN you rely on the routing (static or dynamic) to route the traffic to be encrypted over the VPN tunnel.

Go to solution
Saldebob
Level 1
Level 1
In response to Rob Ingram

‎07-17-2024 03:13 PM

Thanks

Where can I find ACL for tunnel on GUI on Cisco asa?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Saldebob

‎07-17-2024 09:52 PM

@Saldebob 

From ASDM navigate to Configuration > Site to Site VPN > Advanced > Crypto Maps

RobIngram_0-1721277418093.png

Then configure traffic selection

RobIngram_1-1721277482005.png

This defines the interesting traffic to encrypt

RobIngram_2-1721278078731.png

This willl automatically create an ACL and reference with the crypto map. Example:-

access-list outside_cryptomap_1 extended permit ip object VLAN3 192.168.10.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip object VLAN4 192.168.10.0 255.255.255.0
!
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer <peer ip>
crypto map outside_map 1 set ikev1 transform-set TSET
crypto map outside_map interface outside 

 

Go to solution
Saldebob
Level 1
Level 1
In response to Rob Ingram

‎07-18-2024 12:25 AM

 

Hello,

Thank you very much. So the Cisco asa check first the crypto Map before the routing table ?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Saldebob

‎07-18-2024 12:35 AM

@Saldebob routing plays a part. Traffic must be routed to the ASA inside interface and then outbound to the destination out of the interface where the crypto map is enabled (outside). As the traffic passes through the ASA, it will check the crypto ACL to determine if there is a match, if there is traffic will be routed via the appropriate VPN tunnel, if there is no match (against the crypto ACL) traffic will be routed outbound of the outside interface in cleartext (not through a tunnel).

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎07-17-2024 09:24 AM

This job of ACL you config and add under crypto map

It make router know that this traffic must secure send via tunnel 

MHM

0 Helpful
Customers Also Viewed These Support Documents