I'll have to lab this up. Why is it that a standard IP ACL picks up ICMP even though it's not specified?
He has since updated and stated that he was only using ICMP as an example, but I'm still interested in the ICMP portion. Lab time.
Thanks, Brian.
Regards,
Jay McMickle- CCIE #35355 (R&S)
Sent from iJay
On Jul 10, 2012, at 9:38 PM, Brian McGahan <bmcgahan_at_ine.com> wrote:
> In your proxy ACL you just need to specify only ICMP traffic, e.g. access-list PROXY_ACL permit icmp 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0.
>
> Some cases will not work with the proxy ACL if you get too specific, but just using ICMP for the classifier should be fine.
>
>
> HTH,
>
> Brian McGahan, CCIE #8593 (R&S/SP/Security)
> bmcgahan_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of amin
> Sent: Saturday, July 07, 2012 6:18 AM
> To: ccielab_at_groupstudy.com
> Subject: Site2site between ASAs
>
> Hi experts,
>
> Site2site VPN between two ASAs, let us assume I want to encrypt the ICMP, and leave the two LANs traffic between the two site unencrypted.
>
> LAN 1 172.16.1.1/24, LAN 2 172.16.2.0/24 == ICMP encrypted
>
> LAN 1 172.16.1.1/24, LAN 2 172.16.2.0/24 == Other traffic unencrypted
>
>
>
> Regards,
>
> Amin
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 11 2012 - 06:10:05 ART
This archive was generated by hypermail 2.2.0 : Wed Aug 01 2012 - 15:55:23 ART