if you use a asa to work only as VPN L2L Gateway and traffic goes to a IPSec Tunnel that is currently down, you see that this traffic pass truh the Internet without encrytion. Is there a way that the asa block any none Tunneltraffic?
The simplest would proably be via not having any default route on the external interface. Have a /32 route only for the peer gateway via your provider's address. Anything leaving the ASA and trying to go anywhere else would not a have a route to the destination.
I think an outbound ACL to prevent all traffic would work as long as you have enabled tunnel traffic to bypass ACLs. Just guessing. Depending on the requirements I will have a WAN edge firewall deployed in front of the VPN device that only allows IPSec protocols to and from the VPN which would prevent anything not encrypted from passing.
I think there is something going terribly wrong with your setup. For LAN-2-LAN-VPNs with interesting traffic locally defined, the traffic has to be dropped if the tunnel can't be established. Only the router can be configured to pass traffic in clear when the tunnel can not be estabished.
-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :