Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Block non encrypted traffic passing a vpn asa

Hi ,

if you use a asa to work only as VPN L2L Gateway and traffic goes to a IPSec Tunnel that is currently down, you see that this traffic pass truh the Internet without encrytion. Is there a way that the asa block any none Tunneltraffic?

Kind regards


Everyone's tags (2)
Hall of Fame Super Silver

Block non encrypted traffic passing a vpn asa

I can think of any number of ways.

The simplest would proably be via not having any default route on the external interface. Have a /32 route only for the peer gateway via your provider's address. Anything leaving the ASA and trying to go anywhere else would not a have a route to the destination.

New Member

Re: Block non encrypted traffic passing a vpn asa

I think an outbound ACL to prevent all traffic would work as long as you have enabled tunnel traffic to bypass ACLs. Just guessing. Depending on the requirements I will have a WAN edge firewall deployed in front of the VPN device that only allows IPSec protocols to and from the VPN which would prevent anything not encrypted from passing.

Sent from Cisco Technical Support iPad App

VIP Purple

Re: Block non encrypted traffic passing a vpn asa

I think there is something going terribly wrong with your setup. For LAN-2-LAN-VPNs with interesting traffic locally defined, the traffic has to be dropped if the tunnel can't be established. Only the router can be configured to pass traffic in clear when the tunnel can not be estabished.

Don't stop after you've improved your network! Improve the world by lending money to the working poor:
CreatePlease to create content