Is this how my VPN should work? (ASA and 877 router)

Unanswered Question
Apr 14th, 2008


I have a Cisco ASA 5520 which has a remote VPN connected to it from a Cisco 877 which is just on a DSL line.

I have allowed 3 subnets through the VPN via the SA's. When the VPN the ASA says there is 1 IKE tunnel up and 3 IPSec tunnels, which I assuem are these 3 subnets that the remote users need.

Is this how it should or can/should it say 1 IKE tunnel and 1 IPSec tunnel.

The thing that worries me is I'm going to add many more VPN's and read this:

"Each ACE creaes 2 unidirectional IPSec SA's. If you have 100 entries in your ACL, then the ASA will create 200 IPSec SA's. Using host-based crypto ACE's is not recommended because Cisco ASA uses system resources to maintain the SA's which may affect system performance."

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Mon, 04/14/2008 - 09:09


This is exactly how it should work i'm afraid. Every separate entry in your access-list means 2 SA's for IPSEC just as your quote says.

What you can do if it is a major worry is to be more general in the crypto map access-list ie.

say you need to allow traffic to hosts - 6 from

you could do

access-list vpntraffic permit ip

This would allow traffic to hosts -> 7

but then you can lock down access with the actual access-list on your device to only allow traffic through on the ports you want to the IP's you want.

The access-list can either be applied to the outside interface or you can use a vpnfilter with the ASA device.

It's a trade off basically. Being less specific on the crypto map access-list means less SA's but you must then lock it down with an access-list/vpnfilter.


jamesgonzo Mon, 04/14/2008 - 11:10

Thanks for clearing up my understanding.

1.) The thing is I'm not sure how much the ASA 5520 can handle? I currently have all the VPN's and Cisco client VPN's going through my Cisco 3015.

These are 10 site-to-site VPN's which are on DSL lines (cisco 877's) which have about 10 users on each accessing about 10 subnets on each.

2.) Also for my understanding the SA's I have configured for the crypto are the protected networks it's seems the networks can talk to each other no problems, it seems I don't need to tell the remote router what ports I need to open. Once the are in the SA's I take they are trusted nd have full access?

3.) Beacuse the VPN's to the ASA are protected networks are they seen on the ASA as on the inside interface or outside?

Thanks in advance!

Jon Marshall Mon, 04/14/2008 - 11:19

1) Have a look at this performance sheet for the ASA's. You can see that the 5520 can handle a fair bit of VPN throughput. Does depend on how many clients you have concurrently.

2) If you don't specify an access-list on the interface then it will allow what you have specified in the crypto access-list. You can lock this down by specifying a more specific access-list than the crypto acccess-list and applying this to the outside interface. You still need the crpyto access-list.

3) Not sure what you mean. The ASA knows the VPN are accesible from it's outside interface down a tunnel.



This Discussion