cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Firewalls

113
Views
20
Helpful
7
Replies
Highlighted
Contributor

ACL applied to Interface Config on ASA

I have an ACL that shows in Details window when looking at IPSEC connection on ASA, however from CLI I don't see the ACL applied to an interface via Crypto Map. Are there other ways to apply ACL on ASA interface?

7 REPLIES
VIP Engager RJI VIP Engager
VIP Engager

Re: ACL applied to Interface Config on ASA

Hi, can you provide a screenshot or the configuration to provide some context?

 

ACLs can have multiple uses on the ASA, e.g. VPN filtering, route filtering and distribution, identify traffic for MPF etc. Reference here.

 

HTH

Contributor

Re: ACL applied to Interface Config on ASA

Ok yes this is for VPN Filtering.
Participant

Re: ACL applied to Interface Config on ASA

CiscoBlueBelt,

 

It is not quite clear what you are expecting to see. If you have a crypto map applied to an interface, it will not have a crypto ACL applied to the interface as well. Crypto map ACL defines traffic to be encrypted, not the traffic to be permitted or denied. And by default on the ASA any VPN traffic is trusted and therefore allowed. If you want to specifically block some of the traffic that comes in a VPN, you would have to disable the "sysopt permit vpn" option and then apply a separate ACL to block and allow traffic that you require on the VPN interface in the inbound direction.

Contributor

Re: ACL applied to Interface Config on ASA

I was expecting an ACL for VPN traffic to be applied to an interface via crypto map.

Basically, if you have an ACL for a IPSEC tunnel, how do you apply it aside from applying it via crypto map to an interface such as below:

 

ASA1

ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l
ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 32fjsk0392fg
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key 32fjsk0392fg

 

ASA1

ASA1(config)# crypto map cmap 1 match address ACL1
ASA1(config)# crypto map cmap 1 set peer 10.10.10.2
ASA1(config)# crypto map cmap 1 set ikev2 ipsec-proposal P1
ASA1(config)# crypto map cmap interface outside

Participant

Re: ACL applied to Interface Config on ASA

CiscoBlueBelt,

 

But why would you need to apply it to an interface? 

VIP Advocate

Re: ACL applied to Interface Config on ASA

to apply a normal ACL to an interface you would apply something like:

 

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ

 

to apply and ACL forr interesting traffic on an IPSEC tunnel for example:

 

crypto map outside_map 3 match address Internet_cryptomap_whatever
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 115.1.1.1.1 
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA

Please remember to rate useful posts, by clicking on the stars below.

Contributor

Re: ACL applied to Interface Config on ASA

Awesome!

Which command specifies which interface the tunnel traffic should use? Sorry I am having hard time finding good docs that explain how to configure this.

CreatePlease to create content
Blog-Cisco Community Designated VIP Dinner CLEUR2019