Re: Site2site between ASAs from Ryan West on 2012-07-11 (Ccielab archives 07/2012)

From: Ryan West <rwest_at_zyedge.com>
Date: Wed, 11 Jul 2012 12:56:40 +0000

Jay,

What do you mean by standard ACL. Is that in the context of a proxy acl, or just in general.

Sent from handheld

On Jul 11, 2012, at 7:11 AM, "Jay McMickle" <jay.mcmickle_at_yahoo.com> wrote:

> I'll have to lab this up. Why is it that a standard IP ACL picks up ICMP even though it's not specified?
>
> He has since updated and stated that he was only using ICMP as an example, but I'm still interested in the ICMP portion. Lab time.
>
> Thanks, Brian.
>
> Regards,
> Jay McMickle- CCIE #35355 (R&S)
> Sent from iJay
>
> On Jul 10, 2012, at 9:38 PM, Brian McGahan <bmcgahan_at_ine.com> wrote:
>
>> In your proxy ACL you just need to specify only ICMP traffic, e.g. access-list PROXY_ACL permit icmp 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0.
>>
>> Some cases will not work with the proxy ACL if you get too specific, but just using ICMP for the classifier should be fine.
>>
>>
>> HTH,
>>
>> Brian McGahan, CCIE #8593 (R&S/SP/Security)
>> bmcgahan_at_INE.com
>>
>> Internetwork Expert, Inc.
>> http://www.INE.com
>>
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of amin
>> Sent: Saturday, July 07, 2012 6:18 AM
>> To: ccielab_at_groupstudy.com
>> Subject: Site2site between ASAs
>>
>> Hi experts,
>>
>> Site2site VPN between two ASAs, let us assume I want to encrypt the ICMP, and leave the two LANs traffic between the two site unencrypted.
>>
>> LAN 1 172.16.1.1/24, LAN 2 172.16.2.0/24 == ICMP encrypted
>>
>> LAN 1 172.16.1.1/24, LAN 2 172.16.2.0/24 == Other traffic unencrypted
>>
>>
>>
>> Regards,
>>
>> Amin
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 11 2012 - 12:56:40 ART

This archive was generated by hypermail 2.2.0 : Wed Aug 01 2012 - 15:55:23 ART