06-27-2017 12:01 PM
Hi Everyone,
Looking at the below configuration.
Would the ACL "CRYPTOMAP-ACL-10" be used instead of CRYPTOMAP-ACL-20 if the Montana peer (map 20) was to initiate a VPN connection? My concern is that the ACL would follow the normal order of operations that ACL's follow. However, I would like to believe the ACL is only specific to the cry map that's it's applied to.
Map 10 has a permit any any as recommended by Amazon but I have a filter policy applied to the tunnel group.
!
access-list CRYPTOMAP-ACL-10 line 1 extended permit ip any any
access-list CRYPTOMAP-ACL-20 line 1 extended permit ip 10.0.0.0 255.0.0.0 172.26.13.0 255.255.255.0
!
crypto map outside_map 10 match address CRYPTOMAP-ACL-10
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer "8.8.8.8"
crypto map outside_map 10 set ikev1 transform-set mytransformsetX
crypto map outside_map 10 set security-association lifetime seconds 3600
!
crypto map outside_map 20 match address CRYPTOMAP-ACL-20
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer "4.4.4.4"
crypto map outside_map 20 set ikev1 transform-set mytransformsetXXX
crypto map outside_map 20 set security-association lifetime seconds 3600
Thanks Everyone!
Solved! Go to Solution.
06-27-2017 02:15 PM
This would be a problem. You may even be able to establish a tunnel if the remote side sends initiates the negotiation, but when it comes to passing traffic, the ASA checks the ACL in sequence. Traffic is destined towards the 2nd tunnel will match the 1st one and fail. You should move the more specific tunnel to the top.
That being said, the AWS usually is from any to VPN, not any any. An example config is below:
http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA.html
If you can change your AWS crypto ACL to something more specific that "any any", then the order might not matter.
06-27-2017 02:15 PM
This would be a problem. You may even be able to establish a tunnel if the remote side sends initiates the negotiation, but when it comes to passing traffic, the ASA checks the ACL in sequence. Traffic is destined towards the 2nd tunnel will match the 1st one and fail. You should move the more specific tunnel to the top.
That being said, the AWS usually is from any to VPN, not any any. An example config is below:
http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA.html
If you can change your AWS crypto ACL to something more specific that "any any", then the order might not matter.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide