Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1008
Views
0
Helpful
3
Replies

IPSec VPN wittout Crypto-map ACL

s.nasheet
Level 1
Level 1

‎02-04-2016 07:46 AM - edited ‎02-21-2020 08:40 PM

Hi,

Is there any other way to establish the IPSec between two ASA without having to define the Crypto-map ( Proxy ACL).

For example ,  I want to send ALL  TFP traffic over the VPN without defining the ACL

Regards


Salman

Labels:
0 Helpful
3 Replies 3

Diego Lopez
Level 1
Level 1

‎02-04-2016 07:57 AM

Hello,

If the crypto map is static you definitely require an ACL to define the interesting traffic otherwise the crypto map will be incomplete and will never work. If what you want is send all the traffic to a server or a particular network over the tunnel you can define your ACL with source any and destination the server or subnet you want to communicate over the tunnel, this should not affect the other tunnels if you dont have the same destination in any of them. 

access-list vpn-traffic extended permit ip any remote_ip mask 

Regards, please rate.

0 Helpful

JP Miranda Z
Cisco Employee
Cisco Employee

‎02-04-2016 09:26 AM

Hi s.nasheet,

You can try using a dynamic tunnel, in this case even if the other site of the tunnel is using a static public ip you can still configure a dynamic to static vpn, using this your site is not going to use any ACL and the other site of the tunnel is going to specify what they would like to send through the tunnel.

If you are expecting to have a VPN tunnel without interesting traffic between 2 ASAs that is not possible.

-JP-

0 Helpful

rizwanr74
Level 7
Level 7

‎02-04-2016 11:02 AM

Hello Salman,

You can use pre-existing dynamic tunnel group such as "DefaultL2LGroup" will enable you to use IPSec tunnel without crypto-acl however you still require to have a nat-exempt statement.

Dynamic tunnel will not work, if session is being initiated from dynamic-tunnel side but if the session is being initiated from remote tunnel side it will work and at the remote-tunnel side must have a static crypto-map must be in place, in other words both sides cannot be in dynamic tunnels mode.

thanks

Rizwan Rafeek

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents