I have an ACL that shows in Details window when looking at IPSEC connection on ASA, however from CLI I don't see the ACL applied to an interface via Crypto Map. Are there other ways to apply ACL on ASA interface?
Hi, can you provide a screenshot or the configuration to provide some context?
ACLs can have multiple uses on the ASA, e.g. VPN filtering, route filtering and distribution, identify traffic for MPF etc. Reference here.
It is not quite clear what you are expecting to see. If you have a crypto map applied to an interface, it will not have a crypto ACL applied to the interface as well. Crypto map ACL defines traffic to be encrypted, not the traffic to be permitted or denied. And by default on the ASA any VPN traffic is trusted and therefore allowed. If you want to specifically block some of the traffic that comes in a VPN, you would have to disable the "sysopt permit vpn" option and then apply a separate ACL to block and allow traffic that you require on the VPN interface in the inbound direction.
I was expecting an ACL for VPN traffic to be applied to an interface via crypto map.
Basically, if you have an ACL for a IPSEC tunnel, how do you apply it aside from applying it via crypto map to an interface such as below:
ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l
ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 32fjsk0392fg
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key 32fjsk0392fg
ASA1(config)# crypto map cmap 1 match address ACL1
ASA1(config)# crypto map cmap 1 set peer 10.10.10.2
ASA1(config)# crypto map cmap 1 set ikev2 ipsec-proposal P1
ASA1(config)# crypto map cmap interface outside
to apply a normal ACL to an interface you would apply something like:
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
to apply and ACL forr interesting traffic on an IPSEC tunnel for example:
crypto map outside_map 3 match address Internet_cryptomap_whatever
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 184.108.40.206.1
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA
Which command specifies which interface the tunnel traffic should use? Sorry I am having hard time finding good docs that explain how to configure this.