Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

how to send traffic in the clear?

Hi All,

am I correct in saying that to send traffic in the clear accross the VPN I add a deny statement in the access-list that is matched to the crypto map?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: how to send traffic in the clear?

Depends on the ACL.

Usually you just permit the VPN traffic and the explict deny at the end of the ACL takes care of it.

If you want to exclude some traffic that is 'part' of the permit statement you can use a 'deny' statement BEFORE the permit statement to exclue that traffic.

Regards

Farrukh

11 REPLIES

Re: how to send traffic in the clear?

Depends on the ACL.

Usually you just permit the VPN traffic and the explict deny at the end of the ACL takes care of it.

If you want to exclude some traffic that is 'part' of the permit statement you can use a 'deny' statement BEFORE the permit statement to exclue that traffic.

Regards

Farrukh

New Member

Re: how to send traffic in the clear?

great thanks if you have a useful doc on it please post a link

Re: how to send traffic in the clear?

What are your VPN endpoints IOS,ASA etc?

Regards

Farrukh

New Member

Re: how to send traffic in the clear?

ASA (8.0) thanks

New Member

Re: how to send traffic in the clear?

hey just one other question. do the acl's have to match exactly on each asa/pix for the VPN to work?

Re: how to send traffic in the clear?

Normally mirror image ACLs are configured. But there are a few exceptions as explained here:

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_vpn_ipsec_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1047713

But I would not recommend setting the VPN up like this to keep things simple

Regards

Farrukh

New Member

Re: how to send traffic in the clear?

great thanks. can not seem to find good documentation on configuring traffic to go in the clear so if you have any examples would appreciate it. need to configure traffic to go in the clear over a VPN tomorrow. thanks

New Member

Re: how to send traffic in the clear?

Can you clarify something in your answer please. First of all so I am clear let me explain what I want to do. I have a VPN tunnel built between checkpoint (nokia) to a cisco ASA. However I do not want to encrypt ssh traffic to the asa firewall but I want to encrypt everything else.

so where in the crypto ACL do I acieve this? I am allowing both networks talk to each other so do I add the deny before the permit or after it. as there would be a default deny any any at the end of the acl I cant understand how this would work?

Re: how to send traffic in the clear?

I'm sorry I don't have an example, but I will try to explain this myself.

Lets assume the LAN behind ASA = 10.10.10.0/24 and the one behind Checkpoint = 11.11.11.0/24.

Now you want the VPN between all hosts in the two subnets except 10.10.10.150. You would do this on the ASA:

access-l VPN 10 deny ip host 10.10.10.150 11.11.11.0 255.255.255.0

access-l VPN 20 permit ip 10.10.10.0 255.255.255.0 11.11.11.0 255.255.255.0

This way the traffic from 10.10.10.150 going to the checkpoint LAN would be 'denied' and NOT encrypted. Whereas all other hosts in this subnet will be subject to encryption.

Where are you trying to SSH the ASA from? Behind the Checkpoint? From the Checkpoint?

Regards

Farrukh

New Member

Re: how to send traffic in the clear?

OK I get it now. The requirment is to be able to ssh to the asa from the checkpoint and behind the checkpoint.

thanks for your help

Re: how to send traffic in the clear?

The one from the checkpoint >> ASA won't be part of the interesting traffic anyway, so no need to worry about that. The one behind the checkpoint will need to be excluded on both ends.

Regards

Farrukh

118
Views
0
Helpful
11
Replies