Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
820
Views
0
Helpful
3
Replies

Firewall cleanup

Go to solution
Mr.Christian
Level 1
Level 1

‎08-05-2019 10:17 AM

Hello community,

I'm in the process of cleaning up an ASA-5525x that has been configured by many teams before me.  My question is on:

 

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

How can I be sure this isn't being used by anything?

Is this dynamic map ever used for RA VPN like Anyconnect or older RA VPNs?

Is this dynamic map ever used for certain L2L VPNs?

Does this leave the network open to intrusion?

Is it there by default and if so, is it best practice to delete this?

 

We currently only do Anyconnect and static VPNs.

 

Thanks for your help clarifying this for me!

Labels:
Preview file
22 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Mr.Christian

‎08-06-2019 08:17 PM

Dynamic crypto maps are typically used for two use cases:

1. Site-site VPN where one end is DHCP-addressed and thus cannot be accommodated by static entry on the ASA.

2. Remote access IPsec remote access VPN (legacy Cisco or third party client - NOT AnyConnect)

If you check all of your site-site VPNs and find a static entry for each then #1 is not an issue.

If you're only using Anyconnect for remote access VPN then #2 is not an issue.

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Florin Barhala
Level 6
Level 6

‎08-05-2019 08:55 PM

You are in a heap of troble : ))
Afaik this can be used by:
- AnyConnect
- EasyVPN (I am not 100% sure on this)

What I would do:
- find out the company's policy for Remote VPN Access: is this the appliance being used for AnyConnect IPSEC?
- do you have AnyConnect SSL enabled/in use?
0 Helpful

Go to solution
Mr.Christian
Level 1
Level 1
In response to Florin Barhala

‎08-06-2019 11:02 AM - edited ‎08-06-2019 11:08 AM

It is being used for Anyconnect, yes. It is enabled and in use. I just don't see the connection between the Anyconnect profiles and the configured dynamic site-to-site crypto map.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Mr.Christian

‎08-06-2019 08:17 PM

Dynamic crypto maps are typically used for two use cases:

1. Site-site VPN where one end is DHCP-addressed and thus cannot be accommodated by static entry on the ASA.

2. Remote access IPsec remote access VPN (legacy Cisco or third party client - NOT AnyConnect)

If you check all of your site-site VPNs and find a static entry for each then #1 is not an issue.

If you're only using Anyconnect for remote access VPN then #2 is not an issue.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents