cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

164
Views
0
Helpful
3
Replies
Beginner

Firewall cleanup

Hello community,

I'm in the process of cleaning up an ASA-5525x that has been configured by many teams before me.  My question is on:

 

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

How can I be sure this isn't being used by anything?

Is this dynamic map ever used for RA VPN like Anyconnect or older RA VPNs?

Is this dynamic map ever used for certain L2L VPNs?

Does this leave the network open to intrusion?

Is it there by default and if so, is it best practice to delete this?

 

We currently only do Anyconnect and static VPNs.

 

Thanks for your help clarifying this for me!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Master

Re: Firewall cleanup

Dynamic crypto maps are typically used for two use cases:

1. Site-site VPN where one end is DHCP-addressed and thus cannot be accommodated by static entry on the ASA.

2. Remote access IPsec remote access VPN (legacy Cisco or third party client - NOT AnyConnect)

If you check all of your site-site VPNs and find a static entry for each then #1 is not an issue.

If you're only using Anyconnect for remote access VPN then #2 is not an issue.

 

3 REPLIES 3
Frequent Contributor

Re: Firewall cleanup

You are in a heap of troble : ))
Afaik this can be used by:
- AnyConnect
- EasyVPN (I am not 100% sure on this)

What I would do:
- find out the company's policy for Remote VPN Access: is this the appliance being used for AnyConnect IPSEC?
- do you have AnyConnect SSL enabled/in use?
Beginner

Re: Firewall cleanup

It is being used for Anyconnect, yes. It is enabled and in use. I just don't see the connection between the Anyconnect profiles and the configured dynamic site-to-site crypto map.

Highlighted
Hall of Fame Master

Re: Firewall cleanup

Dynamic crypto maps are typically used for two use cases:

1. Site-site VPN where one end is DHCP-addressed and thus cannot be accommodated by static entry on the ASA.

2. Remote access IPsec remote access VPN (legacy Cisco or third party client - NOT AnyConnect)

If you check all of your site-site VPNs and find a static entry for each then #1 is not an issue.

If you're only using Anyconnect for remote access VPN then #2 is not an issue.