Difference between Tunnel Groups and Crypto Maps on ASA?
I'm confused when to use a Tunnel Group - if ever - when creating a Lan-2-Lan IPSec VPN tunnel between two ASA-5540s. For standard configuration does one work mainly with Crypto Maps? When does one work with Tunnel Groups?
One can not exist without other. About a L2L tunnel, the crypto map specifies
3)Match ACL (The traffic which will flow through the tunnel, in othe words, the traffic which will trigger this cryptomap to establish the tunnel)
Now devices know who are the endpoints for VPN tunnel, the transform sets that both ends have to use, and the traffic which should flow through the tunnel.
tunnel-group comes in here. It includes pre-shared-key that is going to be used for authentication of both ends, or set certificate if you like, idle timeouts etc also determines if this tunnel a remote access tunnel or a lan to lan, if this is a remote access tunnel, you specify address pool definitions in here and so on.
Here is an example code for establishing a site-to-site
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
crypto map outside_map 10 set peer x.x.x.x
crypto map outside_map 10 set transform-set myset
crypto map outside_map 10 match xxx (Acl Name)
Keep in mind that tunnel-group name must match the remote peer IP address (if this is a lan to lan tunnel)
GeneralWhich Cisco Secure products include access to SecureX?What are the SecureX data retention/privacy policies?What is SSE?How can I unlink my smart account from SSE and link it to a new account?Do I have to use the same SSE region as the SecureX regio...
More people are working remotely, and this increases the risk of security breaches and the difficulty in defending remote workers where they work and securing the devices they use.
Learn about Cisco Remote Secure Worker solutions that verify workers, secu...
GeneralWhich Cisco Secure products include access to SecureX?What are the SecureX data retention/privacy policies?What is SSE?How can I unlink my smart account from SSE and link it to a new account?Do I have to use the same SSE region as the Secur...
On December 8, FireEye reported that it had been compromised in a sophisticated supply chain attack: more specifically through the SolarWinds Orion IT monitoring and management software. The attackers leveraged business software updates in order to distr...