09-08-2008 05:50 AM - edited 02-21-2020 03:55 PM
3002-->5520.
Under system status of the 3002. I have:
IKE | public ip of 5520 | etc....
IPSEC | public ip of 5520 | 3DES | HMAC/SHA-1| 0 | 0 | 0 | 0
IPSEC | 0.0.0.0/0.0.0.0 | etc....
Why do i have an ipsec tunnel with a remote address for the public interface of my ASA? I don't have any split tunneling configured either?
09-08-2008 11:31 AM
Marshall
Perhaps there is something that I am not understanding correctly. I thought that you were indicating that the 3002 has a VPN connection to the ASA (when you say 3002-->5520)
So why are you surprised that the 3002 has an IKE (ISAKMP) and an IPSec SA to the ASA?
If I have failed to understand some aspect of the question then please clarify.
HTH
Rick
09-08-2008 11:36 AM
Correct. The 3002 hardware client connects to an ASA 5520. Once the tunnel is established, i see 1 IKE session and 2 IPSEC sessions.
For a regular VPN user, i have 1 IKE and 1 IPSEC session...
09-08-2008 11:39 AM
Looks like you have multiple security assocations defined for the tunnel.
09-08-2008 11:44 AM
How do i define what SA's go with each tunnel? Is this done through the ASA or the hardware client?
09-08-2008 11:52 AM
In the ASA, each sa would be a separate entry in the crytpo match access list. The example below would be 2 sa's.
access-list outside_cryptomap_1 extended permit ....
access-list outside_cryptomap_1 extended permit ....
crypto map outside_map 1 match address outside_cryptomap_1
09-08-2008 12:48 PM
09-08-2008 01:43 PM
If there are no corresponding lines like these...
crypto map outside_map x match address Outside_cryptomap_2
or
crypto map outside_map x match address Outside_cryptomap_3
...then these lines are doing nothing at all.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: