Skip navigation
Cisco Learning Home > CCNA Security Study Group > Discussions
492 Views 1 Reply Latest reply: Mar 24, 2012 2:14 AM by Mark Ostler RSS

Currently Being Moderated

Router decisions on VPN ACL

Mar 24, 2012 12:30 AM

Gerard Weese 220 posts since
Jan 30, 2010

Quick question on router logic between VPN peers. if you have a site to site vpn and your ACL tells the router what to encrypt:

 

such as "access-list 101 permit ip host 10.0.0.1 host 10.0.0.2 log"

 

if you have networks on the far side of each of these peers, does the aformentioned ACL mean only the traffic specifically between the peers would be encrypted. and traffic destined for 10.0.5.1 - connected to 10.0.0.1  from 10.0.0.2 would not. This is hard to illustrate without pictures but my though proccess is that the sending router .2 would have to know about (routing table )where to send data to reach  5.x network and once the sending router found the exit interface had a Crypto map the ACL would take over and send the data to the encryption engine.

 

-Gerard

  • Mark Ostler 211 posts since
    Jun 25, 2008
    Currently Being Moderated
    1. Mar 24, 2012 2:14 AM (in response to Gerard Weese)
    Re: Router decisions on VPN ACL

    Hi Gerard,

    to answer your question. The encryption engine will only encrypt traffic that is matched via the crypto map. So if your crypto map says to match access list 101 then only the traffic from 10.0.0.1  will be encrypted and sent across the encrypted tunnel all other traffic will be sent un-encrypted. Also keep in mind that if you have NAT enabled on your interfaces, one thing that you will have to do is to prevent the traffic that is destined for the VPN tunnel from being NAT'ed. Otherwise you will see no traffic going across the tunnel.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)