cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
768
Views
0
Helpful
1
Replies

ASA VPN: partner firewall can create IPSEC SAs for any networks!

Mark Walters
Level 1
Level 1

Ok, this behavior is new to me.  It would appear to have considerable security implications as well.  Comments are welcome!

My ASA (5520, 8.2(5)) terminates both L2L and Remote (User/RAS) IPSEC VPNs.  Each L2L VPN has a crypto map sequence, and I have a dynamic map at the end for remote users.

I'm bringing up a new tunnel with PartnerA.  I implement a very standard config: an ACL defining specific "interesting" traffic (i.e. a proxy ACL), a crypto map sequence, tunnel-group referencing the partner firewall IP to set the ipsec shared secret, and NAT exemption rules.

The partner firewall is now able to bring up IPSEC SAs for *any* networks!  That is, I see entries in "show crypto ipsec sa" referencing network pairs that are not in my defined proxy ACL.  Those rogue IPSEC SAs are landing on the dynamic crypto map rather than my defined crypto map.  Note that proper IPSEC SAs, landing on the static cryptp map, are created for networks defined in my ACL.

Does the existance of a dynamic crpyto map, along with a defined shared-secret for a partner firewall, give them carte blanche to create IPSEC SAs for any network pair they like?  Tell me it ain't so..

Thanks for any insight!

Mark Walters

CCIE #20571 R/S, Security

1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Mark,

Dynamic crypto map allows initiator to pick any traffic selectors they want.

But you are right there is some security implication here. As a workaround I can suggest either using different transform set on static crypto map entries and dynamic ones so negotiation of new SAs will fail, or use vpn filter to drop traffic.

If you don't mind open up a TAC case so we can dig in. I do remember something similar discussed recently but can't find the result :{

M.