01-21-2018 10:56 AM - edited 03-12-2019 04:56 AM
Just curious on best practices when using cryptomaps. Is it recommended to add a complete network and use VPN filters to only allow certain hosts/ports or do this at the cryptomap level? The reason that I ask is that I was experiencing ipsec tunnel issues between an ASA and a Cradlepoint router when using cryptomaps to segment the traffic. If I had 5 hosts or networks defined in the cryptomap, then occasionally the cradlepoint would drop one or two of the ipsec tunnels and I would have to disconnect the VPN to get them to come back up. I finally just added a single network in the cryptomap on both ends and used VPN filters to only allow certain hosts/ports in. So far the single tunnel has stayed up.
01-21-2018 11:19 AM
For site to site VPNs, I tend to put everything in the access list.
01-21-2018 11:51 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide