IPSEC Interesting Traffic Question

itdaddy

Hey guys this is my question.

okay you know how you have to create and ACL for interesting traffic right? but that is for only 1:1 subnetting. say you had
more subnets you wanted to have access to?

example

R2(work) vpn site setup 7 subnets of interesting traffic want access to)
192.168.1.0 /24 yeah you do it for one normally but what abot the rest?
192.168.2.0
192.168.3.0
192.168.4.0
192.168.40.0
etc...


R5 (home) vpn site setup 1 subnet range of interesting traffic)
192.168.0.0 /24


as it stands now I have to RDP into one server and the RDP from that server to other subnets. I want to be able to from my apartment
remote into any subnet off of my vpn? do I add more statements
for the interesteding traffic? in the ACL I make on each end
and include each

like:
R5 (home)
permit ip 192.168.0.x 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.0.x 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.0.x 0.0.0.255 192.168.3.0 0.0.0.255

R2 (work with many subnets)
permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.40.0 0.0.0.255 192.168.0.0 0.0.0.255


like this and then from home I can access each subnet through
my sitetosite vpn?

ConstantlyLearning

Yep, just make the crypto ACL what you need.

itdaddy

thanks CL I appreciate you help mate! thanks man!

SteveO86

This probably goes without saying but make sure the ACL in your crypto map has the same amount of entries on both side of the tunnel or else the tunnel will not function properly. (So the tunnel won't form, debugging the tunnel will generate a QM FSM error)

itdaddy

Thanks stevo, yeah will do. I cannot wait to config this
this guy I hired set it up (remote access vpn with asa 5505) and I was like I know it can be done.

So I have been practicing at home with my lab and I think I got this baby!
thanks dudes! I appreciate your guidance!

yeh double-dipping on the RDP is crazy slow
awesome!

ConstantlyLearning

SteveO86 wrote: »

This probably goes without saying but make sure the ACL in your crypto map has the same amount of entries on both side of the tunnel or else the tunnel will not function properly. (So the tunnel won't form, debugging the tunnel will generate a QM FSM error)

Not true.

I've read this a few times, seems to be best practice/recommendation but isn't required from my experience. You just need to make sure that the required ACL entries on each end are in place. There could be a bunch of other unrequired ACL entries on each end and the VPN will still function.

I'm not say to have messy crypto ACL's though! Always make sure ot only have what's required.

lrb

Just use Cisco VTIs (virtual tunnel interface) and route everything out over that interface and IOS will encrypt all the traffic without having to define 'interesting traffic' ACLs

itdaddy

Just use Cisco VTIs (virtual tunnel interface) and route everything out over that interface and IOS will encrypt all the traffic without having to define 'interesting traffic' ACLs

sweet going to try both and lab the crap out of it God knows I have enough 1760 routers to play with hahaa LOL

thanks guys will report back what I find