RE: Site2site between ASAs

The access-list that is referenced from the crypto map is called the "Proxy ACL" or the "Proxy Identity". This ACL controls which traffic is sent over the IPsec tunnel.

Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan_at_INE.com

Internetwork Expert, Inc.
http://www.INE.com

-----Original Message-----
From: amin [mailto:amin_at_axizo.com]
Sent: Tuesday, July 10, 2012 10:12 PM
To: Brian McGahan
Subject: RE: Site2site between ASAs

Hi Brian,
What you mean by proxy ACL and where to apply it, I know the NAT0_ACL and the CRYPTO_ACL?
Regards,
Amin

-----Original Message-----
From: Brian McGahan [mailto:bmcgahan_at_ine.com]
Sent: Wednesday, July 11, 2012 5:38 AM
To: amin; ccielab_at_groupstudy.com
Subject: RE: Site2site between ASAs

In your proxy ACL you just need to specify only ICMP traffic, e.g.
access-list PROXY_ACL permit icmp 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0.

Some cases will not work with the proxy ACL if you get too specific, but just using ICMP for the classifier should be fine.

HTH,

Brian McGahan, CCIE #8593 (R&S/SP/Security) bmcgahan_at_INE.com

Internetwork Expert, Inc.
http://www.INE.com

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of amin
Sent: Saturday, July 07, 2012 6:18 AM
To: ccielab_at_groupstudy.com
Subject: Site2site between ASAs

Hi experts,

Site2site VPN between two ASAs, let us assume I want to encrypt the ICMP, and leave the two LANs traffic between the two site unencrypted.

LAN 1 172.16.1.1/24, LAN 2 172.16.2.0/24 == ICMP encrypted

LAN 1 172.16.1.1/24, LAN 2 172.16.2.0/24 == Other traffic unencrypted

Regards,

Amin

Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 11 2012 - 00:14:30 ART