topic Re: ACL applied to Interface Config on ASA in Network Security

ACL applied to Interface Config on ASA

CiscoBrownBelt — Fri, 21 Feb 2020 16:48:15 GMT

I have an ACL that shows in Details window when looking at IPSEC connection on ASA, however from CLI I don't see the ACL applied to an interface via Crypto Map. Are there other ways to apply ACL on ASA interface?

Re: ACL applied to Interface Config on ASA

Rob Ingram — Tue, 12 Feb 2019 16:04:45 GMT

Hi, can you provide a screenshot or the configuration to provide some context?

ACLs can have multiple uses on the ASA, e.g. VPN filtering, route filtering and distribution, identify traffic for MPF etc. Reference here.

HTH

Re: ACL applied to Interface Config on ASA

CiscoBrownBelt — Tue, 12 Feb 2019 16:18:09 GMT

Ok yes this is for VPN Filtering.

Re: ACL applied to Interface Config on ASA

Sergey Lisitsin — Tue, 12 Feb 2019 16:25:23 GMT

CiscoBlueBelt,

It is not quite clear what you are expecting to see. If you have a crypto map applied to an interface, it will not have a crypto ACL applied to the interface as well. Crypto map ACL defines traffic to be encrypted, not the traffic to be permitted or denied. And by default on the ASA any VPN traffic is trusted and therefore allowed. If you want to specifically block some of the traffic that comes in a VPN, you would have to disable the "sysopt permit vpn" option and then apply a separate ACL to block and allow traffic that you require on the VPN interface in the inbound direction.

Re: ACL applied to Interface Config on ASA

CiscoBrownBelt — Tue, 12 Feb 2019 16:47:30 GMT

I was expecting an ACL for VPN traffic to be applied to an interface via crypto map.

Basically, if you have an ACL for a IPSEC tunnel, how do you apply it aside from applying it via crypto map to an interface such as below:

ASA1

ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l
ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 32fjsk0392fg
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key 32fjsk0392fg

ASA1

ASA1(config)# crypto map cmap 1 match address ACL1
ASA1(config)# crypto map cmap 1 set peer 10.10.10.2
ASA1(config)# crypto map cmap 1 set ikev2 ipsec-proposal P1
ASA1(config)# crypto map cmap interface outside

Re: ACL applied to Interface Config on ASA

Dennis Mink — Tue, 12 Feb 2019 17:10:05 GMT

to apply a normal ACL to an interface you would apply something like:

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ

to apply and ACL forr interesting traffic on an IPSEC tunnel for example:

crypto map outside_map 3 match address Internet_cryptomap_whatever
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 115.1.1.1.1
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA

Re: ACL applied to Interface Config on ASA

Sergey Lisitsin — Tue, 12 Feb 2019 17:12:01 GMT

CiscoBlueBelt,

But why would you need to apply it to an interface?

Re: ACL applied to Interface Config on ASA

CiscoBrownBelt — Tue, 12 Feb 2019 18:16:59 GMT

Awesome!

Which command specifies which interface the tunnel traffic should use? Sorry I am having hard time finding good docs that explain how to configure this.