06-02-2016 08:06 AM
Hi,
Let's say we have the following configuration
access-list vpn1 extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
crypto map mymap 10 match address vpn1
crypto map mymap 10 set peer x.x.x.x
access-list vpn2 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
crypto map mymap 20 match address vpn2
crypto map mymap 20 set peer y.y.y.y
In the above example, what happen if you intend to send a packet to a host on the 10.1.1.x and the peer X.X.X.X is down (no SA).
If Asa will check that the SA is down or missing it starts process the next crypto access list according to crypto map sequence number ? or just drop the packet ?
If Asa proces next crypto map entry/crypto acl and what if no acl match ? Packets are send as a clear text ?
Thanks for explantion
Peter
Solved! Go to Solution.
06-02-2016 08:29 AM
Hi Peter,
It would work if the first tunnel is down and there are no SA's for it.
However, it is not recommended to have overlapping crypto ACL's.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
06-02-2016 08:29 AM
Hi Peter,
It would work if the first tunnel is down and there are no SA's for it.
However, it is not recommended to have overlapping crypto ACL's.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide