crypto bypass???

jwjorgensen · ‎06-12-2007

So this is a real oxymoron of a question.

I am setting up site to site ipsec tunnels between windows xp POS terminals and an asa 5510 for 100+ convenience stores to encrypt credit card transactions across the WAN. This is being set up for PCI compliance purposes. I would like to start deploying this setup, but I would have to put the crypto map on the outside interface of the ASA. The vpn traffic would work fine but non-vpn traffic to the same destination would not pass through. Is there a way that anyone knows of to go ahead and pass the non-encrypted traffic through the firewall? It will take awhile to deploy all of the sites and do not want to take the credit card capabilities down.

TIA

jaffer_sathik2010 · ‎06-12-2007

Hi,

The access-list which you associate with crypto map command should include only the traffic(ports) which need to be encrypted ,remove all other traffic by pacying a 'deny all' command at the end of the access-list.

Then,place access-list on the ASA (inside and outside) to permit the non-vpn traffic.

--Jaffer

jwjorgensen · ‎06-13-2007

Yeah, the problem is that the tunnels were going to all be configured before the box was shipped out to be installed. The IP addresses of the sites are going to stay the same. This eliminates the ability to do a slow cutover. I might end up setting up a link directly to the lan fabric to bypass the asa until everything is done.