Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1364
Views
5
Helpful
1
Replies

Multiple Crypto Maps w/ Crypto Map ACL

Go to solution
DialerString_2
Level 3
Level 3

‎06-27-2017 12:01 PM

Hi Everyone,

Looking at the below configuration.

Would the ACL "CRYPTOMAP-ACL-10" be used instead of CRYPTOMAP-ACL-20 if the Montana peer (map 20) was to initiate a VPN connection? My concern is that the ACL would follow the normal order of operations that ACL's follow.  However, I would like to believe the ACL is only specific to the cry map that's it's applied to.

Map 10 has a permit any any as recommended by Amazon but I have a filter policy applied to the tunnel group.

!

access-list CRYPTOMAP-ACL-10 line 1 extended permit ip any any

access-list CRYPTOMAP-ACL-20 line 1 extended permit ip 10.0.0.0 255.0.0.0 172.26.13.0 255.255.255.0

!

crypto map outside_map 10 match address CRYPTOMAP-ACL-10
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer "8.8.8.8"
crypto map outside_map 10 set ikev1 transform-set mytransformsetX
crypto map outside_map 10 set security-association lifetime seconds 3600

!

crypto map outside_map 20 match address CRYPTOMAP-ACL-20
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer "4.4.4.4"
crypto map outside_map 20 set ikev1 transform-set mytransformsetXXX
crypto map outside_map 20 set security-association lifetime seconds 3600

Thanks Everyone!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎06-27-2017 02:15 PM

This would be a problem. You may even be able to establish a tunnel if the remote side sends initiates the negotiation, but when it comes to passing traffic, the ASA checks the ACL in sequence. Traffic is destined towards the 2nd tunnel will match the 1st one and fail. You should move the more specific tunnel to the top.

That being said, the AWS usually is from any to VPN, not any any. An example config is below:

http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA.html

If you can change your AWS crypto ACL to something more specific that "any any", then the order might not matter.

View solution in original post

1 Reply 1

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎06-27-2017 02:15 PM

This would be a problem. You may even be able to establish a tunnel if the remote side sends initiates the negotiation, but when it comes to passing traffic, the ASA checks the ACL in sequence. Traffic is destined towards the 2nd tunnel will match the 1st one and fail. You should move the more specific tunnel to the top.

That being said, the AWS usually is from any to VPN, not any any. An example config is below:

http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA.html

If you can change your AWS crypto ACL to something more specific that "any any", then the order might not matter.

Customers Also Viewed These Support Documents