In my enviroment we have a ASA5520 setup so that the inside interface faces the corp enviroment and the outside interface faces the lab, we basically want unrestricted access into the lab but controlled access out. I am trying to setup an IPSec tunnel to the interface that has the higher security level, and then pass only unique traffic through the tunnel is this possible? I can setup an IPSec tunnel in the convential way but this way is stumping me.
See attached for a rough drawing of what we are doing. Connect Lab 1 to Lab 2 but Lab 2's ASA is configured to have untrusted interfaces facing lab envoriment.
It is not the conventional way to set up an IPsec tunnel but I don't see why it would not work.
The crypto map will be applied to the higher-security interface and either the sysopt or ACL will allow the traffic to pass through.
Should not be much different from setting the tunnel on the outside interface as commonly done.
I agree that it's not the common way of doing things. I setup the tunnel in the standard way and traffic flows properly however when I change the security level of the outside interface from 0 to 100 and the inside interface from 100 to 0 traffic stops flowing, traffic being icmp packets.
Why are you changing the security levels?
Why not terminate the tunnel on the inside interface (sec level 100) and communicate with the devices out the outside interface (sec level 0)?
Ok, let me clarify.
The tunnel will be established between ASA7 outside and ASA8 inside correct?
The configuration from ASA8 shows the crypto map applied to the outside interface, should change that to the inside interface.
The peer on ASA7 should be ASA8 inside IP.