I am setting up site to site ipsec tunnels between windows xp POS terminals and an asa 5510 for 100+ convenience stores to encrypt credit card transactions across the WAN. This is being set up for PCI compliance purposes. I would like to start deploying this setup, but I would have to put the crypto map on the outside interface of the ASA. The vpn traffic would work fine but non-vpn traffic to the same destination would not pass through. Is there a way that anyone knows of to go ahead and pass the non-encrypted traffic through the firewall? It will take awhile to deploy all of the sites and do not want to take the credit card capabilities down.
The access-list which you associate with crypto map command should include only the traffic(ports) which need to be encrypted ,remove all other traffic by pacying a 'deny all' command at the end of the access-list.
Then,place access-list on the ASA (inside and outside) to permit the non-vpn traffic.
Yeah, the problem is that the tunnels were going to all be configured before the box was shipped out to be installed. The IP addresses of the sites are going to stay the same. This eliminates the ability to do a slow cutover. I might end up setting up a link directly to the lan fabric to bypass the asa until everything is done.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...