how to send traffic in the clear?

Answered Question
Aug 28th, 2008
User Badges:

Hi All,


am I correct in saying that to send traffic in the clear accross the VPN I add a deny statement in the access-list that is matched to the crypto map?



Correct Answer by Farrukh Haroon about 8 years 7 months ago

Depends on the ACL.


Usually you just permit the VPN traffic and the explict deny at the end of the ACL takes care of it.


If you want to exclude some traffic that is 'part' of the permit statement you can use a 'deny' statement BEFORE the permit statement to exclue that traffic.


Regards


Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Farrukh Haroon Thu, 08/28/2008 - 02:02
User Badges:
  • Red, 2250 points or more

Depends on the ACL.


Usually you just permit the VPN traffic and the explict deny at the end of the ACL takes care of it.


If you want to exclude some traffic that is 'part' of the permit statement you can use a 'deny' statement BEFORE the permit statement to exclue that traffic.


Regards


Farrukh

darkbeatzz Thu, 08/28/2008 - 02:48
User Badges:

great thanks if you have a useful doc on it please post a link

Farrukh Haroon Thu, 08/28/2008 - 03:10
User Badges:
  • Red, 2250 points or more

What are your VPN endpoints IOS,ASA etc?



Regards


Farrukh

darkbeatzz Thu, 08/28/2008 - 06:26
User Badges:

hey just one other question. do the acl's have to match exactly on each asa/pix for the VPN to work?

darkbeatzz Thu, 08/28/2008 - 07:01
User Badges:

great thanks. can not seem to find good documentation on configuring traffic to go in the clear so if you have any examples would appreciate it. need to configure traffic to go in the clear over a VPN tomorrow. thanks


darkbeatzz Thu, 08/28/2008 - 07:31
User Badges:

Can you clarify something in your answer please. First of all so I am clear let me explain what I want to do. I have a VPN tunnel built between checkpoint (nokia) to a cisco ASA. However I do not want to encrypt ssh traffic to the asa firewall but I want to encrypt everything else.


so where in the crypto ACL do I acieve this? I am allowing both networks talk to each other so do I add the deny before the permit or after it. as there would be a default deny any any at the end of the acl I cant understand how this would work?



Farrukh Haroon Thu, 08/28/2008 - 08:02
User Badges:
  • Red, 2250 points or more

I'm sorry I don't have an example, but I will try to explain this myself.


Lets assume the LAN behind ASA = 10.10.10.0/24 and the one behind Checkpoint = 11.11.11.0/24.


Now you want the VPN between all hosts in the two subnets except 10.10.10.150. You would do this on the ASA:


access-l VPN 10 deny ip host 10.10.10.150 11.11.11.0 255.255.255.0


access-l VPN 20 permit ip 10.10.10.0 255.255.255.0 11.11.11.0 255.255.255.0


This way the traffic from 10.10.10.150 going to the checkpoint LAN would be 'denied' and NOT encrypted. Whereas all other hosts in this subnet will be subject to encryption.


Where are you trying to SSH the ASA from? Behind the Checkpoint? From the Checkpoint?


Regards


Farrukh

darkbeatzz Thu, 08/28/2008 - 11:01
User Badges:

OK I get it now. The requirment is to be able to ssh to the asa from the checkpoint and behind the checkpoint.


thanks for your help

Farrukh Haroon Fri, 08/29/2008 - 10:55
User Badges:
  • Red, 2250 points or more

The one from the checkpoint >> ASA won't be part of the interesting traffic anyway, so no need to worry about that. The one behind the checkpoint will need to be excluded on both ends.


Regards


Farrukh

Actions

This Discussion