Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
816
Views
15
Helpful
5
Replies

IPSec to higher security level interface

v-mileve
Level 1
Level 1

‎12-13-2010 09:03 AM - edited ‎02-21-2020 05:01 PM

In my enviroment we have a ASA5520 setup so that the inside interface faces the corp enviroment and the outside interface faces the lab, we basically want unrestricted access into the lab but controlled access out.  I am trying to setup an IPSec tunnel to the interface that has the higher security level, and then pass only unique traffic through the tunnel is this possible?  I can setup an IPSec tunnel in the convential way but this way is stumping me.

See attached for a rough drawing of what we are doing.   Connect Lab 1 to Lab 2 but Lab 2's ASA is configured to have untrusted interfaces facing lab envoriment.

Labels:
76909-tunnel.vsd.zip
0 Helpful
5 Replies 5

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎12-13-2010 09:12 AM

Hi Michael,

It is not the conventional way to set up an IPsec tunnel but I don't see why it would not work.

The crypto map will be applied to the higher-security interface and either the sysopt or ACL will allow the traffic to pass through.

Should not be much different from setting the tunnel on the outside interface as commonly done.

Federico.

v-mileve
Level 1
Level 1
In response to Federico Coto Fajardo

‎12-13-2010 09:51 AM

I agree that it's not the common way of doing things.  I setup the tunnel in the standard way and traffic flows properly however when I change the security level of the outside interface from 0 to 100 and the inside interface from 100 to 0 traffic stops flowing, traffic being icmp packets.

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to v-mileve

‎12-13-2010 09:56 AM

Why are you changing the security levels?

Why not terminate the tunnel on the inside interface (sec level 100) and communicate with the devices out the outside interface (sec level 0)?


Federico.

v-mileve
Level 1
Level 1
In response to Federico Coto Fajardo

‎12-13-2010 11:11 AM

Here are the config's for the 2 ASA's I am using.  ASA8 is the one one that is non-standard were the outside interface is actaully the trusted side and the inside interface is the untrusted interface.    Hopefuly this will help.

76918-asa8.zip
0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to v-mileve

‎12-13-2010 11:19 AM

Ok, let me clarify.

The tunnel will be established between ASA7 outside and ASA8 inside correct?

The configuration from ASA8 shows the crypto map applied to the outside interface, should change that to the inside interface.

The peer on ASA7 should be ASA8 inside IP.

Federico.

Customers Also Viewed These Support Documents