cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
456
Views
0
Helpful
11
Replies

how to send traffic in the clear?

darkbeatzz
Level 1
Level 1

Hi All,

am I correct in saying that to send traffic in the clear accross the VPN I add a deny statement in the access-list that is matched to the crypto map?

1 Accepted Solution

Accepted Solutions

Farrukh Haroon
VIP Alumni
VIP Alumni

Depends on the ACL.

Usually you just permit the VPN traffic and the explict deny at the end of the ACL takes care of it.

If you want to exclude some traffic that is 'part' of the permit statement you can use a 'deny' statement BEFORE the permit statement to exclue that traffic.

Regards

Farrukh

View solution in original post

11 Replies 11

Farrukh Haroon
VIP Alumni
VIP Alumni

Depends on the ACL.

Usually you just permit the VPN traffic and the explict deny at the end of the ACL takes care of it.

If you want to exclude some traffic that is 'part' of the permit statement you can use a 'deny' statement BEFORE the permit statement to exclue that traffic.

Regards

Farrukh

great thanks if you have a useful doc on it please post a link

What are your VPN endpoints IOS,ASA etc?

Regards

Farrukh

ASA (8.0) thanks

hey just one other question. do the acl's have to match exactly on each asa/pix for the VPN to work?

Normally mirror image ACLs are configured. But there are a few exceptions as explained here:

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_vpn_ipsec_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1047713

But I would not recommend setting the VPN up like this to keep things simple

Regards

Farrukh

great thanks. can not seem to find good documentation on configuring traffic to go in the clear so if you have any examples would appreciate it. need to configure traffic to go in the clear over a VPN tomorrow. thanks

Can you clarify something in your answer please. First of all so I am clear let me explain what I want to do. I have a VPN tunnel built between checkpoint (nokia) to a cisco ASA. However I do not want to encrypt ssh traffic to the asa firewall but I want to encrypt everything else.

so where in the crypto ACL do I acieve this? I am allowing both networks talk to each other so do I add the deny before the permit or after it. as there would be a default deny any any at the end of the acl I cant understand how this would work?

I'm sorry I don't have an example, but I will try to explain this myself.

Lets assume the LAN behind ASA = 10.10.10.0/24 and the one behind Checkpoint = 11.11.11.0/24.

Now you want the VPN between all hosts in the two subnets except 10.10.10.150. You would do this on the ASA:

access-l VPN 10 deny ip host 10.10.10.150 11.11.11.0 255.255.255.0

access-l VPN 20 permit ip 10.10.10.0 255.255.255.0 11.11.11.0 255.255.255.0

This way the traffic from 10.10.10.150 going to the checkpoint LAN would be 'denied' and NOT encrypted. Whereas all other hosts in this subnet will be subject to encryption.

Where are you trying to SSH the ASA from? Behind the Checkpoint? From the Checkpoint?

Regards

Farrukh

OK I get it now. The requirment is to be able to ssh to the asa from the checkpoint and behind the checkpoint.

thanks for your help

The one from the checkpoint >> ASA won't be part of the interesting traffic anyway, so no need to worry about that. The one behind the checkpoint will need to be excluded on both ends.

Regards

Farrukh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: