11-05-2007 08:56 AM - edited 03-10-2019 03:51 AM
I'm a little on the new end of all of this so bear with me. I hope I'm in the right forum.
I have an ASA 5510 with an AIP-SSM-10 card that I am configuring for a customer. Everything is up and running except for the diversion of traffic to the AIP. I know that I need an access list to do that but I want to EXCLUDE VPN traffic when I divert. In other word I want the AIP to inspect everything except ipsec. I'm having trouble understanding how to use an access list for everything except VPN traffic. Any help would be greatly appreciated.
Thanks
Brad
11-05-2007 12:15 PM
Brad -
The access list is quite easy. First, you would put your exceptions using deny statements. Next, you would make permits for the traffic you want inspected. Here is an example..
access-list AIP extended deny ip 172.16.1.0 255.255.255.0 any
access-list AIP extended deny ip any 172.16.1.0 255.255.255.0
access-list AIP extended permit ip any any
In this example, the VPN traffic is the 172.16.1.0/245 network. This can be a local range or the ip pool's range.
Please rate helpful posts.
Jay
11-05-2007 02:01 PM
Jay,
Thanks for your timely response. I was probably overlooking the obvious but also I was afraid that that would block the traffic altogether. I am testing it now but I think this should be exactly what I needed. Again, I thank you for your help.
Brad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide