02-04-2016 07:46 AM - edited 02-21-2020 08:40 PM
Hi,
Is there any other way to establish the IPSec between two ASA without having to define the Crypto-map ( Proxy ACL).
For example , I want to send ALL TFP traffic over the VPN without defining the ACL
Regards
Salman
02-04-2016 07:57 AM
Hello,
If the crypto map is static you definitely require an ACL to define the interesting traffic otherwise the crypto map will be incomplete and will never work. If what you want is send all the traffic to a server or a particular network over the tunnel you can define your ACL with source any and destination the server or subnet you want to communicate over the tunnel, this should not affect the other tunnels if you dont have the same destination in any of them.
access-list vpn-traffic extended permit ip any remote_ip mask
Regards, please rate.
02-04-2016 09:26 AM
Hi s.nasheet,
You can try using a dynamic tunnel, in this case even if the other site of the tunnel is using a static public ip you can still configure a dynamic to static vpn, using this your site is not going to use any ACL and the other site of the tunnel is going to specify what they would like to send through the tunnel.
If you are expecting to have a VPN tunnel without interesting traffic between 2 ASAs that is not possible.
-JP-
02-04-2016 11:02 AM
Hello Salman,
You can use pre-existing dynamic tunnel group such as "DefaultL2LGroup" will enable you to use IPSec tunnel without crypto-acl however you still require to have a nat-exempt statement.
Dynamic tunnel will not work, if session is being initiated from dynamic-tunnel side but if the session is being initiated from remote tunnel side it will work and at the remote-tunnel side must have a static crypto-map must be in place, in other words both sides cannot be in dynamic tunnels mode.
thanks
Rizwan Rafeek
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: