Ok, this behavior is new to me. It would appear to have considerable security implications as well. Comments are welcome!
My ASA (5520, 8.2(5)) terminates both L2L and Remote (User/RAS) IPSEC VPNs. Each L2L VPN has a crypto map sequence, and I have a dynamic map at the end for remote users.
I'm bringing up a new tunnel with PartnerA. I implement a very standard config: an ACL defining specific "interesting" traffic (i.e. a proxy ACL), a crypto map sequence, tunnel-group referencing the partner firewall IP to set the ipsec shared secret, and NAT exemption rules.
The partner firewall is now able to bring up IPSEC SAs for *any* networks! That is, I see entries in "show crypto ipsec sa" referencing network pairs that are not in my defined proxy ACL. Those rogue IPSEC SAs are landing on the dynamic crypto map rather than my defined crypto map. Note that proper IPSEC SAs, landing on the static cryptp map, are created for networks defined in my ACL.
Does the existance of a dynamic crpyto map, along with a defined shared-secret for a partner firewall, give them carte blanche to create IPSEC SAs for any network pair they like? Tell me it ain't so..
Thanks for any insight!
Mark Walters
CCIE #20571 R/S, Security