Options

IPSEC Interesting Traffic Question

itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
Hey guys this is my question.

okay you know how you have to create and ACL for interesting traffic right? but that is for only 1:1 subnetting. say you had
more subnets you wanted to have access to?

example

R2(work) vpn site setup 7 subnets of interesting traffic want access to)
192.168.1.0 /24 yeah you do it for one normally but what abot the rest?
192.168.2.0
192.168.3.0
192.168.4.0
192.168.40.0
etc...


R5 (home) vpn site setup 1 subnet range of interesting traffic)
192.168.0.0 /24


as it stands now I have to RDP into one server and the RDP from that server to other subnets. I want to be able to from my apartment
remote into any subnet off of my vpn? do I add more statements
for the interesteding traffic? in the ACL I make on each end
and include each

like:
R5 (home)
permit ip 192.168.0.x 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.0.x 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.0.x 0.0.0.255 192.168.3.0 0.0.0.255

R2 (work with many subnets)
permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.40.0 0.0.0.255 192.168.0.0 0.0.0.255


like this and then from home I can access each subnet through
my sitetosite vpn?icon_study.gif

Comments

  • Options
    ConstantlyLearningConstantlyLearning Member Posts: 445
    Yep, just make the crypto ACL what you need.
    "There are 3 types of people in this world, those who can count and those who can't"
  • Options
    itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    thanks CL I appreciate you help mate! thanks man!icon_cheers.gif
  • Options
    SteveO86SteveO86 Member Posts: 1,423
    This probably goes without saying but make sure the ACL in your crypto map has the same amount of entries on both side of the tunnel or else the tunnel will not function properly. (So the tunnel won't form, debugging the tunnel will generate a QM FSM error)
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • Options
    itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    Thanks stevo, yeah will do. I cannot wait to config this
    this guy I hired set it up (remote access vpn with asa 5505) and I was like I know it can be done.

    So I have been practicing at home with my lab and I think I got this baby!
    ;) thanks dudes! I appreciate your guidance!

    yeh double-dipping on the RDP is crazy slow ;)
    awesome!icon_thumright.gif
  • Options
    ConstantlyLearningConstantlyLearning Member Posts: 445
    SteveO86 wrote: »
    This probably goes without saying but make sure the ACL in your crypto map has the same amount of entries on both side of the tunnel or else the tunnel will not function properly. (So the tunnel won't form, debugging the tunnel will generate a QM FSM error)

    Not true.

    I've read this a few times, seems to be best practice/recommendation but isn't required from my experience. You just need to make sure that the required ACL entries on each end are in place. There could be a bunch of other unrequired ACL entries on each end and the VPN will still function.

    I'm not say to have messy crypto ACL's though! Always make sure ot only have what's required. :)
    "There are 3 types of people in this world, those who can count and those who can't"
  • Options
    lrblrb Member Posts: 526
    Just use Cisco VTIs (virtual tunnel interface) and route everything out over that interface and IOS will encrypt all the traffic without having to define 'interesting traffic' ACLs :D
  • Options
    itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    Just use Cisco VTIs (virtual tunnel interface) and route everything out over that interface and IOS will encrypt all the traffic without having to define 'interesting traffic' ACLs icon_biggrin.gif

    sweet going to try both and lab the crap out of it God knows I have enough 1760 routers to play with hahaa LOL

    thanks guys will report back what I find icon_study.gif
Sign In or Register to comment.