I was wondering if anyone has run into this issue before. A client's partner has required that any VPN connections to their Netscreen 208 be routed based and configured for a 0.0.0.0/0 local and remote proxy. I could see how this might be possible in an IOS VPN, but I don't see how it can be done in an ASA.
The firewall engineer for the other party suggested creating an interesting traffic ACL that excludes all networks not destined for their site and then an ANY ANY permit at the end. This seems like a disaster to even consider doing.
Just out of curiosity, is this ASA being used for internet connectivity or not. If this ASA is being used for internet connectivity, how are you going to exclude all those internet traffic and then have a permit any any. Unless, you are going to tunnel traffic including your internet traffic to the remote Netscreen Server and then route the traffic, permit any any is definitely not a good thing.
I am not saying that this will not work but what I am trying to imply is, this solution does not scale really well unless you want all traffic including your internet traffic to go across the ipsec tunnel.
That should be fine up until the time when you have to create another vpn tunnel somewhere else. What is there solution for this? I guess at that point you would be entering another deny statement in your vpn_dumbcarrier acl.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...