08-05-2019 10:17 AM
Hello community,
I'm in the process of cleaning up an ASA-5525x that has been configured by many teams before me. My question is on:
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map inside_map interface inside crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
How can I be sure this isn't being used by anything?
Is this dynamic map ever used for RA VPN like Anyconnect or older RA VPNs?
Is this dynamic map ever used for certain L2L VPNs?
Does this leave the network open to intrusion?
Is it there by default and if so, is it best practice to delete this?
We currently only do Anyconnect and static VPNs.
Thanks for your help clarifying this for me!
Solved! Go to Solution.
08-06-2019 08:17 PM
Dynamic crypto maps are typically used for two use cases:
1. Site-site VPN where one end is DHCP-addressed and thus cannot be accommodated by static entry on the ASA.
2. Remote access IPsec remote access VPN (legacy Cisco or third party client - NOT AnyConnect)
If you check all of your site-site VPNs and find a static entry for each then #1 is not an issue.
If you're only using Anyconnect for remote access VPN then #2 is not an issue.
08-05-2019 08:55 PM
08-06-2019 11:02 AM - edited 08-06-2019 11:08 AM
It is being used for Anyconnect, yes. It is enabled and in use. I just don't see the connection between the Anyconnect profiles and the configured dynamic site-to-site crypto map.
08-06-2019 08:17 PM
Dynamic crypto maps are typically used for two use cases:
1. Site-site VPN where one end is DHCP-addressed and thus cannot be accommodated by static entry on the ASA.
2. Remote access IPsec remote access VPN (legacy Cisco or third party client - NOT AnyConnect)
If you check all of your site-site VPNs and find a static entry for each then #1 is not an issue.
If you're only using Anyconnect for remote access VPN then #2 is not an issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide