1 Reply Latest reply: Mar 24, 2012 2:14 AM by Mark Ostler RSS

    Router decisions on VPN ACL

    Gerard Weese

      Quick question on router logic between VPN peers. if you have a site to site vpn and your ACL tells the router what to encrypt:


      such as "access-list 101 permit ip host host log"


      if you have networks on the far side of each of these peers, does the aformentioned ACL mean only the traffic specifically between the peers would be encrypted. and traffic destined for - connected to  from would not. This is hard to illustrate without pictures but my though proccess is that the sending router .2 would have to know about (routing table )where to send data to reach  5.x network and once the sending router found the exit interface had a Crypto map the ACL would take over and send the data to the encryption engine.



        • 1. Re: Router decisions on VPN ACL
          Mark Ostler

          Hi Gerard,

          to answer your question. The encryption engine will only encrypt traffic that is matched via the crypto map. So if your crypto map says to match access list 101 then only the traffic from  will be encrypted and sent across the encrypted tunnel all other traffic will be sent un-encrypted. Also keep in mind that if you have NAT enabled on your interfaces, one thing that you will have to do is to prevent the traffic that is destined for the VPN tunnel from being NAT'ed. Otherwise you will see no traffic going across the tunnel.