Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
D_TK
Collaborator

management server in VPN domain

I've bumped into an unintended consequence of a circuit migration.

Previous config was 8 sites connected privately via MPLS.  We moved off MPLS onto dedicated internet circuits, and created one VPN community with all sites.  For the encryption domain at the location where management is, rather than selecting the whole subnet, i added the objects individually, but didn't add the management server for the obvious reason that i didn't want a VPN failure to prevent management from communicating w the gateways.  Management reaches all gateways via their public IP.  And management is publicly addressed.

I realize now that i need management to communicate with some inside resources for AD related items.  So, what would be the best way to handle?

Is there a way to supercede with a rule that says management <-> gateways don't tunnel?

Maybe drop the management server into the encrypt domain but exclude all services that management which looks like at least: tcp/18191, tcp/18264, tcp/18192

Open to all ideas,or maybe (likely) i'm missing the obvious answer.  Don't think it matters for this, but all versions are r81.10, latest GA HFA

thanks

 

0 Kudos
1 Reply
the_rock
Legend
Legend

I think one idea is to exclude services that would be used for the communication, within VPN tunnel, so that way anything on them would not be encrypted, but maybe there is a better way. Lets see what else is suggested.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events