Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

crypto bypass???

So this is a real oxymoron of a question.

I am setting up site to site ipsec tunnels between windows xp POS terminals and an asa 5510 for 100+ convenience stores to encrypt credit card transactions across the WAN. This is being set up for PCI compliance purposes. I would like to start deploying this setup, but I would have to put the crypto map on the outside interface of the ASA. The vpn traffic would work fine but non-vpn traffic to the same destination would not pass through. Is there a way that anyone knows of to go ahead and pass the non-encrypted traffic through the firewall? It will take awhile to deploy all of the sites and do not want to take the credit card capabilities down.


New Member

Re: crypto bypass???


The access-list which you associate with crypto map command should include only the traffic(ports) which need to be encrypted ,remove all other traffic by pacying a 'deny all' command at the end of the access-list.

Then,place access-list on the ASA (inside and outside) to permit the non-vpn traffic.


New Member

Re: crypto bypass???

Yeah, the problem is that the tunnels were going to all be configured before the box was shipped out to be installed. The IP addresses of the sites are going to stay the same. This eliminates the ability to do a slow cutover. I might end up setting up a link directly to the lan fabric to bypass the asa until everything is done.