this statement : "The permit any any statement is strongly discouraged, as this will cause all outbound traffic to be protected (and all protected traffic sent to the peer specified in the corresponding crypto map entry) and will require protection for all inbound traffic. Then, all inbound packets that lack IPSec protection will be silently dropped.". I haven't really understood the exact issue about this. Do someone have an example of problematic situation due to this "any any" statement??
I am also wondering about a strange observation I made: I have netflow configured on one of my IPSEC peers ,monitoring the WAN interface with a monitoring tool(solarwinds) and I see that I have trafic not encrypted!! I see UDP,TCP trafic along with ESP tunel. And the non-ESP trafic is not low (30-40% of the whole trafic).I believe that I shouldn't see any UDP/TCP trafic? How could I check directly on the routers what is the trafic not encrypted???
Re: crypto map encrypting "any any" traffic and trafic not encry
As far as I know IPSEC encryption is for traffic sent by the client on LAN side of the router not for the traffic originated by the router itself. When you use ip any any all traffic going outbound will be protected. It is expected that all inbound traffic(To the router) to be encrypted. Traffic like Routing protocols , ping traffic originated by other router which will not be encrypted will be dropped.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...