Crypto ACL best practices

BRANDON BAILEY · ‎01-23-2013

Is anyone aware of a site-to-site VPN best practices document? I setup a site-to-site VPN for a client that needs access to a handfull of IP addresses and I am controlling access through the crypto ACL. They are stating that it is best practice to allow access to the entire subnet and control access through a regular interface ACL. This does not make any sense to me. Why bring up the tunnel for traffic that the other site does not have access to, only to block it on my side. I need some time of design document or best practices document that proves this but I have been unsuccessful in searching.

Marcin Latosiewicz · ‎01-23-2013

Brandon,

Actually it IS best pracatices to agregate the ACLs as much as possible.

The reason being is that we hold each each (active) entry separaty in the IPsec SA DB, meaning, there will be control traffic exchanged for every single ACL entry.

This has absolutely no impact if you have a handfull of tunnels configured, it starts becoming a limiting factor for large deployments.

Consider also this - crypto map bases solutions is something we're migrating customers away from.

There are only a handful of use cases (even if good ones) where crypto maps are the only applicable solution (getvpn and other solutions apart).

Currently most of solutions are based around logical interfaces (tunnels and VT/VA) and tunnel protection.

Tunnel protection will maintain ONE SA DB entry per peer. Which allows pretty good scalability control plane wise.

To answer your question, no I don't believe one aggregate best practices with crypto maps exists. As I said we're moving away from using crypto maps and putting most documentation effort around tunnel protection.

From time to time there are also events on support forums where you can discuss best practices with VPN engineers.

HTH,

M.

DSPadmin1 · ‎10-15-2014

Hi,

Whats your recommendation on my situation: I have a pair of ASA 5520s in HA mode and currently the only thing I have is 42 site to site VPN and possibly going to have more than 100 in next couple months.

and I would like to be able to limit traffic through tunnel in both directions, like HTTP allow inbound and FTP+RDP allow outbound. please advise and thank you in advance.

Amir

Marcin Latosiewicz · ‎10-15-2014

Amir,

In case of ASA look into vpn-filter, do not perform filtering using "deny" statements on crypto ACL.

M.

DSPadmin1 · ‎10-16-2014

Hi,

I am using vpn-filter in group policy. I have an ACL with no deny rule:

1. allow HTTP from remote-host to local-host

2. allow RDP/FTP from local-host to remote-host

rule number 1 work fine the remote has only HTTP access to local. however Local-host has no access to remote host. seems like no matter what I do I can filter traffic inbound but my outbound traffic is blocked ( even though I have allow rule in my VPN-Filter ACL)

when I use default group policy which it has no vpn-filter access is fully open both direction.

Thank you

Peter Zsiros · ‎10-21-2014

The VPN filter ACL is a bit tricky.

It is not like the normal ACL with source IP source port destination IP detination port.

VPN filter has a local and remote side so you have to configure keeping this in mind not the usual ACL things...