Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
0
Helpful
2
Replies

Cryptomap or VPN filter

Phil Bradley
Level 4
Level 4

‎01-21-2018 10:56 AM - edited ‎03-12-2019 04:56 AM

Just curious on best practices when using cryptomaps. Is it recommended to add a complete network and use VPN filters to only allow certain hosts/ports or do this at the cryptomap level? The reason that I ask is that I was experiencing ipsec tunnel issues between an ASA and a Cradlepoint router when using cryptomaps to segment the traffic. If I had 5 hosts or networks defined in the cryptomap, then occasionally the cradlepoint would drop one or two of the ipsec tunnels and I would have to disconnect the VPN to get them to come back up. I finally just added a single network in the cryptomap on both ends and used VPN filters to only allow certain hosts/ports in. So far the single tunnel has stayed up.

Labels:
0 Helpful
2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-21-2018 11:19 AM

For site to site VPNs, I tend to put everything in the access list.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni

‎01-21-2018 11:51 AM

Hi

For L2L, I put the host IP in the crypto acl and use vpn-filter if i want to authorize only few ports on the host.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents