×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Interesting VPN Traffic

Unanswered Question
Jun 13th, 2012
User Badges:

On an ASA, version 8.2(x), for a given VPN tunnel setup with a peer of a.b.c.d, and the interesting traffic defined as source s.t.u.v and destination w.x.y.z (and the w.x.y.z address(es) does NOT include the peer address), if host s.t.u.v, tries to access the peer IP, will the traffic go across the tunnel or no?


My guess is that it will not becuase the peer ip address has not been explicitly defined as 'interesting' traffic to go across the tunnel.  Is this correct?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Wed, 06/13/2012 - 23:51
User Badges:
  • Cisco Employee,

Yes, you are correct. It will not go across the tunnel because s.t.u.v is not part of the crypto ACL/interesting traffic.

Private Private Thu, 06/14/2012 - 03:45
User Badges:

Did you mean to say that I am correct because the peer address (a.b,c,d) is not part of the interesting traffic? That is, traffic from s.t.u.v to a.b.c.d will not go across the tunnel becuase even though the source (s.t.u.v) is a 'potential' source for interesting traffic, the peer address (a.b.c.d) is not a 'potential' destination for interesting traffic.


Below is the example setup:


access-list VPN-ACL extended permit ip s.t.u.v w.x.y.z


crypto map map-outside 10 match address VPN-ACL

crypto map map-outside 10 set peer a.b.c.d

crypto map map-outside 10 set transform-set EXP-3DES-SHA


tunnel-group a.b.c.d type ipsec-l2l

tunnel-group a.b.c.d ipsec-attributes

     pre-shared-key ****************



Thanks.

Jennifer Halim Thu, 06/14/2012 - 11:52
User Badges:
  • Cisco Employee,

Yes, because a.b.c.d is not the destination of your crypto ACL (VPN-ACL), the traffic will not be encrypted and going through the VPN tunnel. It will go in clear text towards the destination a.b.c.d.

BTW, you won't be able to encrypt the VPN peer IP towards the remote VPN peer IP because they are used to build the VPN tunnel anyway eventhough you define it in the crypto ACL.

Actions

This Discussion