cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
425
Views
0
Helpful
3
Replies
Highlighted
Beginner

IPSec VPN wittout Crypto-map ACL

Hi,

Is there any other way to establish the IPSec between two ASA without having to define the Crypto-map ( Proxy ACL).

For example ,  I want to send ALL  TFP traffic over the VPN without defining the ACL

Regards


Salman

3 REPLIES 3
Beginner

Hello,

Hello,

If the crypto map is static you definitely require an ACL to define the interesting traffic otherwise the crypto map will be incomplete and will never work. If what you want is send all the traffic to a server or a particular network over the tunnel you can define your ACL with source any and destination the server or subnet you want to communicate over the tunnel, this should not affect the other tunnels if you dont have the same destination in any of them. 

access-list vpn-traffic extended permit ip any remote_ip mask 

Regards, please rate.

Highlighted
Cisco Employee

Hi s.nasheet,

Hi s.nasheet,

You can try using a dynamic tunnel, in this case even if the other site of the tunnel is using a static public ip you can still configure a dynamic to static vpn, using this your site is not going to use any ACL and the other site of the tunnel is going to specify what they would like to send through the tunnel.

If you are expecting to have a VPN tunnel without interesting traffic between 2 ASAs that is not possible.

-JP-

Highlighted
Rising star

Hello Salman,

Hello Salman,

You can use pre-existing dynamic tunnel group such as "DefaultL2LGroup" will enable you to use IPSec tunnel without crypto-acl however you still require to have a nat-exempt statement.

Dynamic tunnel will not work, if session is being initiated from dynamic-tunnel side but if the session is being initiated from remote tunnel side it will work and at the remote-tunnel side must have a static crypto-map must be in place, in other words both sides cannot be in dynamic tunnels mode.

thanks

Rizwan Rafeek