02-12-2019 07:52 AM - edited 02-21-2020 08:48 AM
I have an ACL that shows in Details window when looking at IPSEC connection on ASA, however from CLI I don't see the ACL applied to an interface via Crypto Map. Are there other ways to apply ACL on ASA interface?
02-12-2019 08:04 AM
Hi, can you provide a screenshot or the configuration to provide some context?
ACLs can have multiple uses on the ASA, e.g. VPN filtering, route filtering and distribution, identify traffic for MPF etc. Reference here.
HTH
02-12-2019 08:18 AM
02-12-2019 08:25 AM
CiscoBlueBelt,
It is not quite clear what you are expecting to see. If you have a crypto map applied to an interface, it will not have a crypto ACL applied to the interface as well. Crypto map ACL defines traffic to be encrypted, not the traffic to be permitted or denied. And by default on the ASA any VPN traffic is trusted and therefore allowed. If you want to specifically block some of the traffic that comes in a VPN, you would have to disable the "sysopt permit vpn" option and then apply a separate ACL to block and allow traffic that you require on the VPN interface in the inbound direction.
02-12-2019 08:47 AM
I was expecting an ACL for VPN traffic to be applied to an interface via crypto map.
Basically, if you have an ACL for a IPSEC tunnel, how do you apply it aside from applying it via crypto map to an interface such as below:
ASA1
ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l
ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 32fjsk0392fg
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key 32fjsk0392fg
ASA1
ASA1(config)# crypto map cmap 1 match address ACL1
ASA1(config)# crypto map cmap 1 set peer 10.10.10.2
ASA1(config)# crypto map cmap 1 set ikev2 ipsec-proposal P1
ASA1(config)# crypto map cmap interface outside
02-12-2019 09:12 AM
CiscoBlueBelt,
But why would you need to apply it to an interface?
02-12-2019 09:10 AM
to apply a normal ACL to an interface you would apply something like:
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
to apply and ACL forr interesting traffic on an IPSEC tunnel for example:
crypto map outside_map 3 match address Internet_cryptomap_whatever
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 115.1.1.1.1
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA
02-12-2019 10:16 AM
Awesome!
Which command specifies which interface the tunnel traffic should use? Sorry I am having hard time finding good docs that explain how to configure this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide