Cisco 3005, don't want tunnels to be able to communicate with each other

rdassow · ‎05-16-2003

I want to set up a 3005 so each IPSEC tunnel (lan-to-lan) cannot communicate between each other in any way, but hosts on the private side of the 3005 CAN communicate to all of the tunnels.

I was thinking of enabling NAT on the tunnels, that would ensure that tunnels can't communicate with each other. However, that won't let hosts at the head end (private interface of 3005) initiate traffic back through the tunnels.

I'm thinking that maybe I could use Network Lists to accomplish this.... Any ideas? Have you found a best-practice way to accomplish this type of configuration. The purpose is primarily to recieve snmp traps and allow us to telnet to routers.

Ryan

gfullage · ‎05-18-2003

If you're very specific about what traffic goes over each tunnel, then this will be the default behaviour anyway, nothing really to worry about.

for example, let's say you have two tunnels, A and B, and two remote concentrators called ConcA and ConcB. Tunnel A allows traffic from ConcA network 10.1.1.0/24 to the 10.5.5.0/24 network behind the 3005. Tunnel B allows traffic from the concB network 10.2.2.0/24 to the 10.5.5.0/24 network behind the tunnel.

If you set up your tunnels so that only those networks will be encrypted, then they are not going to be able to talk to each other. The people on 10.5.5.0/24 behind the 3005 will be able to communicate with both fine. You don't need to do anything out of the ordinary for this to happen, this is the way it works generally.