cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1231
Views
20
Helpful
7
Replies

ACL applied to Interface Config on ASA

CiscoPurpleBelt
Level 6
Level 6

I have an ACL that shows in Details window when looking at IPSEC connection on ASA, however from CLI I don't see the ACL applied to an interface via Crypto Map. Are there other ways to apply ACL on ASA interface?

7 Replies 7

Hi, can you provide a screenshot or the configuration to provide some context?

 

ACLs can have multiple uses on the ASA, e.g. VPN filtering, route filtering and distribution, identify traffic for MPF etc. Reference here.

 

HTH

Ok yes this is for VPN Filtering.

Sergey Lisitsin
VIP Alumni
VIP Alumni

CiscoBlueBelt,

 

It is not quite clear what you are expecting to see. If you have a crypto map applied to an interface, it will not have a crypto ACL applied to the interface as well. Crypto map ACL defines traffic to be encrypted, not the traffic to be permitted or denied. And by default on the ASA any VPN traffic is trusted and therefore allowed. If you want to specifically block some of the traffic that comes in a VPN, you would have to disable the "sysopt permit vpn" option and then apply a separate ACL to block and allow traffic that you require on the VPN interface in the inbound direction.

I was expecting an ACL for VPN traffic to be applied to an interface via crypto map.

Basically, if you have an ACL for a IPSEC tunnel, how do you apply it aside from applying it via crypto map to an interface such as below:

 

ASA1

ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l
ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 32fjsk0392fg
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key 32fjsk0392fg

 

ASA1

ASA1(config)# crypto map cmap 1 match address ACL1
ASA1(config)# crypto map cmap 1 set peer 10.10.10.2
ASA1(config)# crypto map cmap 1 set ikev2 ipsec-proposal P1
ASA1(config)# crypto map cmap interface outside

CiscoBlueBelt,

 

But why would you need to apply it to an interface? 

Dennis Mink
VIP Alumni
VIP Alumni

to apply a normal ACL to an interface you would apply something like:

 

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ

 

to apply and ACL forr interesting traffic on an IPSEC tunnel for example:

 

crypto map outside_map 3 match address Internet_cryptomap_whatever
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 115.1.1.1.1 
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA

Please remember to rate useful posts, by clicking on the stars below.

Awesome!

Which command specifies which interface the tunnel traffic should use? Sorry I am having hard time finding good docs that explain how to configure this.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: