Solved: Re: Defining ACL in a crypto map

gryffindor · ‎06-18-2021

Hi All,

I am very new to Cisc/ASA and maybe this question is very basic but I couldn't get it.

We have a crypto-map configured with a client and have used an ACL to define the interesting traffic. There is no Tunnel interface attached to it. We only see active crypto sa when client initiates the traffic.

My question here is, how do we define the source & destination for the ACL to define the interesting traffic. I've pasted below a snippet of our config. The acl allows traffic from Internal subnets (belongs to us) to client subnets but the sa comes up when client initiates the traffic.

show running-config crypto map
crypto map VPNMAP 2 match address Client-1-ACL
crypto map VPNMAP 2 set pfs group5
crypto map VPNMAP 2 set connection-type answer-only
crypto map VPNMAP 2 set peer x.x.x.x
crypto map VPNMAP 2 set ikev1 transform-set ESP-AES-256-SHA
crypto map VPNMAP 2 set security-association lifetime seconds 28800
crypto map VPNMAP 2 set reverse-route
crypto map VPNMAP interface INTERNET

sh run access-list Client-1-ACL
access-list Client-1-ACL extended permit ip object-group Internal-NETS object-group Client-NETS

Thank You in advance

Rob Ingram · ‎06-18-2021

@gryffindor

The source can be any IP address as defined in the crypto ACL (Client-1-ACL), so from your network Internal-NETS or the remote network Client-NETS, obviously the destination is the other network as per the crypto ACL.

Usually a VPN is bi-directional, so either side can initate the traffic. However you've got the command "crypto map VPNMAP 2 set connection-type answer-only" configured, which means the remote network (an IP address within the object Client-NETS group) has to initate traffic in order for the VPN to be established.

Does that answer your question?

View solution in original post

Marvin Rhoads · ‎06-18-2021

The SA will come up when either end initiates traffic. The client end has a mirror image definition that defines its interesting traffic. When it initiates, their end will negotiate the ISAKMP and IPsec parameters with you and each will respectively validate the allowed sources and destinations to then create the IPsec security association (SA). It should work that way no matter which end starts the flow.

(Edit: Except, as @Rob Ingram mentioned, where you have the "answer-only" parameter. That's quite uncommon.)

Rob Ingram · ‎06-18-2021

@gryffindor

The source can be any IP address as defined in the crypto ACL (Client-1-ACL), so from your network Internal-NETS or the remote network Client-NETS, obviously the destination is the other network as per the crypto ACL.

Usually a VPN is bi-directional, so either side can initate the traffic. However you've got the command "crypto map VPNMAP 2 set connection-type answer-only" configured, which means the remote network (an IP address within the object Client-NETS group) has to initate traffic in order for the VPN to be established.

Does that answer your question?

gryffindor · ‎06-18-2021

Hi Rob,

Thanks for your reply but, I am sorry as there is still a little confusion. I understand your point that since we have connection type as answer-only, it is client who has to initiate the traffic. But, my ACL allows from Source (internal-IP) to Destination (client-IP) then how come the initiating traffic from client is allowed.

One more thing, since you mentioned that "The source can be any IP address as defined in the crypto ACL", would it work if I have the ACLs configured as

access-list Client-1-ACL extended permit ip object-group Client-NETS object-group Internal-NETS

Rob Ingram · ‎06-18-2021

You write the ACL from your local perspective, so the source will be your local network(s) and the remote peer's network will be the destination. The remote peer mirrors that configuration.

Once the IPSec SAs have been established, either network (local or remote) as defined in the crypto ACL can be the source of the VPN traffic.