03-26-2015 08:03 AM
Hi All,
I have a core ASA that is running 8.04 code, IKE v1 only, and does not have any group policies for each individual L2L IPSec tunnel defined, or applied under the tunnel-groups. However, many of my branch ASA's are ASA code 9+. When I create a tunnel on a 9+ code branch ASA in ASDM to the core ASA, the ASA auto-configures a group-policy and applies it to the tunnel-group as a general attribute.
My question: If my core ASA does not have any group-policies defined or applied to any of the tunnel-groups, then is the group policy that is auto created & applied on the 9+ code branch ASA for this tunnel required? Or is it moot since the other end has nothing configured/applied? If it is moot, then I want to clean up the ASA configs by removing the group-policies but I want to make sure that is safe first.
Example:
Branch: 9+ Code ASA:
group-policy GroupPolicy_50.xxx.xx.190 internal
group-policy GroupPolicy_50.xxx.xx.190 attributes
vpn-tunnel-protocol ikev1
tunnel-group 50.xxx.xx.190 type ipsec-l2l
tunnel-group 50.xxx.xx.190 general-attributes
default-group-policy GroupPolicy_50.xxx.xx.190
tunnel-group 50.xxx.xx.190 ipsec-attributes
ikev1 pre-shared-key *****
Core: 8.04 Code ASA:
tunnel-group 12.xxx.xxx.178 type ipsec-l2l
tunnel-group 12.xxx.xxx.178 ipsec-attributes
pre-shared-key *
Solved! Go to Solution.
03-29-2015 01:54 PM
You are required to have a group-policy for site to site and RA VPN for that matter. However, if you do not define a group-policy, the tunnel will default to the default group-policy.
--
Please remember to select a correct answer and rate helpful posts
03-28-2015 07:35 PM
Hello Dean,
You don't need a group-policy assign to a tunnel-group to establish L2L IPSec tunnel, regardless of version differences.
Only reason you would require a group-policy for L2L IPsec tunnel, is to control port-base traffic which can traverse into the tunnel, as you know in the crypto-acl and nat-exemption acl will not accept any port defined ip addresses and it must be ip to ip traffic only.
Hope that answer your question.
Thanks
Rizwan Rafeek.
03-29-2015 01:54 PM
You are required to have a group-policy for site to site and RA VPN for that matter. However, if you do not define a group-policy, the tunnel will default to the default group-policy.
--
Please remember to select a correct answer and rate helpful posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: