08-08-2012 12:30 AM
guys suppose we have a VPN to a different site and we would liek to to encrypt the data so normally we make an access list which is used for interesting traffic and used in cyrpto map
so my network is 10.1.1.0/24 and remote site is 10.2.2.0/24.....so my access lost would depends on which sites initiates traffic or shd i use both in access list..............
i am trying to get my head around that if i see a crypto map and see an access list shd i be able to tell which site initiates the connection
08-08-2012 01:09 AM
The access-list on the crypto map that you should see should be as follows:
access-list
Assuming that you have ASA firewall. If you are using router, then the access-list would use wildcard mask:
access-list
The remote end should have the mirror image access-list, so the remote end would say:
access-list
ACL does not tell you which site can initiate the connection. Typically both sides can initiate the connection, unless if one end has dynamic public ip address as the VPN termination point on the outside interface, then only the dynamic end can initiate the tunnel.
If it's static crypto map, instead of dynamic crypto map, then typically both sides can initiate the tunnel. Crypto ACL needs to mirror image on both sides.
08-08-2012 02:28 AM
Hi Jennifer
As always an excelent reply from yourself........now both sites have static public ip addresses
I have seen that in many crupto map acl in our ASA both sites config are configured for example
access-list ABC permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list ABCpermit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
thats why i really get confuse
secondly i have checked my asa and it has a follwoing command
crypto dynamic-map outside_dyn_map 999 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 999 set security-association lifetime seconds 86400
what doe sthis mean....plz explain between dynamic and static crypto map
Thanks again
08-08-2012 08:31 AM
The crypto ACL does not seem correct. Looks like someone has configured it both ways which is incorrect. It should only be in one direction, ie: source: local LAN, and destination: remote LAN.
From your example, if 10.1.1.0/24 is the local LAN, and 10.2.2.0/24 is the remote LAN:
On the local ASA:
access-list ABC permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
On the remote ASA:
access-list ABCpermit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
Dynamic crypto map is used for VPN Client connection, and/or VPN that has dynamic IP Address. Because the IP address changes for the VPN peer that has dynamic IP, and for VPN Client, we never know what ip address the VPN Client will be connecting from, dynamic crypto map is used.
Static crypto map is used when the remote end has static VPN Peer ip address.
Hope that is clear.
08-08-2012 03:38 PM
Hi thanks for the reply so it means that it does matter which sites initiate the connection even if I have a mail server which is 10.1,1,1 and client 10.2.2.0 is accessing it ......still in that case it shd be the same AcL as my local LAN and destination shd be 10.2.x network .......it will work ??? Suppose if the mail server starts initiating still it will work ?? Thanks again
Sent from Cisco Technical Support iPhone App
08-09-2012 05:51 AM
Yes, it doesn't matter which site initiate the connection in your case, both side can initiate the connection.
10.1.1.1 and 10.2.2.x can both initiate the connection and it will bring up the vpn tunnel.
The access-list should only be configured in one direction, ie: source: local LAN, destination: remote LAN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide