09-24-2007 08:10 AM - edited 03-05-2019 06:40 PM
Hi all, I have just used the vpn wizard to set up a tunnel between my 2 offices over the internet, my question is when I put in the config the source and destination networks to be protected, will this just encrypt them networks? and so do I need now to create an access list or is that included in the protect networks statement?
cheers
Carl
09-24-2007 09:18 AM
This probably belongs in security, but either way. The networks you enter for remote and local are the only ones encrypted. If the asa receives a packet from the local network described in your configuration to the remote network you specified, it will be sent down the tunnel. If it receives a packet anywhere else, it will route it normally (conditions permitting, of course). These two network statements must match on the remote and local sides (the same networks need to be specified) otherwise phase2 will fail.
Depending on the implementation, you may or may not need to add additional access lists to allow said traffic. If the command "sysopt connection permit-vpn" is enabled (which it is by default), all vpn traffic bypasses any access list. While this isn't very secure, it's easy since you don't need to explicitly allow vpn traffic. If that command is not enabled, and you don't want it enabled, you must write a separate access list permitting the vpn traffic through and apply it to an interface.
09-25-2007 12:56 AM
thanks for that, So, can you tell me what routes I would need to put in, or again, would they be sent down the tunnel without any routes ? do I just point a default route out to my internet router? do i need to point the routes for the remote network to the tunnels peer address ?
cheers
Carl
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide