Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1507
Views
0
Helpful
3
Replies

IPsec VPN Client Crypto Map

Cisco-User500
Level 1
Level 1

‎01-20-2018 06:05 PM - edited ‎03-12-2019 04:56 AM

Hello All, 

I was going through this guide "Cisco ASA Series VPN CLI Configuration Guide Software Version 9.1" and was looking at the example below for configuring IPsec client.  I see that in this crypto map, there is no ACL defined for interesting traffic. How does the ASA know which traffic destined to the client needs to be encrypted?

I created a new IPsec profile through asdm and when done, the crypto map is showing " Warning, no traffic is selected". So no interesting traffic selected.

Can someone please shed some light on how the  ASA determines interesting traffic when it comes to IPsec client.

 

Thanks

 

 

hostname(config)# interface ethernet0
hostname(config-if)# ip address 10.10.4.200 255.255.0.0
hostname(config-if)# nameif outside
hostname(config-if)# no shutdown
hostname(config)# crypto ikev1 policy 1
hostname(config-ikev1-policy)# authentication pre-share
hostname(config-ikev1-policy)# encryption 3des
hostname(config-ikev1-policy)# hash sha
hostname(config-ikev1-policy)# group 2
hostname(config-ikev1-policy)# lifetime 43200
hostname(config)# crypto ikev1 outside
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
hostname(config)# username testuser password 12345678
hostname(config)# crypto ipsec ikev1 transform set FirstSet esp-3des esp-md5-hmac
hostname(config)# tunnel-group testgroup type remote-access
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
hostname(config)# tunnel-group testgroup ipsec-attributes
hostname(config-ipsec)# ikev1 pre-shared-key 44kkaol59636jnfx
hostname(config)# crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route
hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside
hostname(config)# write memory

 

Labels:
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-20-2018 06:13 PM

Under "tunnel-group testgroup general-attributes" you would normally reference a group policy.

 

tunnel-group "testgroup" general-attributes

  default-group-policy "testgroup"

 

Then that group policy would reference an access list.

 

group-policy "test" attributes

  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value test-split-tunnel

 

access-list test-split-tunnel standard permit  ...

0 Helpful

Cisco-User500
Level 1
Level 1
In response to Philip D'Ath

‎01-23-2018 06:38 PM

Hello Philip

 

What If I don't use split tunneling and need to tunnel all traffic. And supposedly I have multiple tunnel groups and each with a different transform set. Without the crypto map, how does the ASA decides what transform set to apply to a specific tunnel group.

 

Thanks

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Cisco-User500

‎01-24-2018 02:38 PM

Without a split access list everything from the user gets sent to the ASA (a "full tunnel").

0 Helpful
Customers Also Viewed These Support Documents