Interesting VPN Traffic

Private Private · ‎06-13-2012

On an ASA, version 8.2(x), for a given VPN tunnel setup with a peer of a.b.c.d, and the interesting traffic defined as source s.t.u.v and destination w.x.y.z (and the w.x.y.z address(es) does NOT include the peer address), if host s.t.u.v, tries to access the peer IP, will the traffic go across the tunnel or no?

My guess is that it will not becuase the peer ip address has not been explicitly defined as 'interesting' traffic to go across the tunnel. Is this correct?

Jennifer Halim · ‎06-13-2012

Yes, you are correct. It will not go across the tunnel because s.t.u.v is not part of the crypto ACL/interesting traffic.

Private Private · ‎06-14-2012

Did you mean to say that I am correct because the peer address (a.b,c,d) is not part of the interesting traffic? That is, traffic from s.t.u.v to a.b.c.d will not go across the tunnel becuase even though the source (s.t.u.v) is a 'potential' source for interesting traffic, the peer address (a.b.c.d) is not a 'potential' destination for interesting traffic.

Below is the example setup:

access-list VPN-ACL extended permit ip s.t.u.v w.x.y.z

crypto map map-outside 10 match address VPN-ACL

crypto map map-outside 10 set peer a.b.c.d

crypto map map-outside 10 set transform-set EXP-3DES-SHA

tunnel-group a.b.c.d type ipsec-l2l

tunnel-group a.b.c.d ipsec-attributes

pre-shared-key ****************

Thanks.

Jennifer Halim · ‎06-14-2012

Yes, because a.b.c.d is not the destination of your crypto ACL (VPN-ACL), the traffic will not be encrypted and going through the VPN tunnel. It will go in clear text towards the destination a.b.c.d.

BTW, you won't be able to encrypt the VPN peer IP towards the remote VPN peer IP because they are used to build the VPN tunnel anyway eventhough you define it in the crypto ACL.