What is the difference among Normal ACL, crypto ACL, ACL Manager
I guess you are partly referring to the terms used in the ASDM Configuration section.
I dont personally use ASDM really all that much as I do most configurations through CLI so I might not be familiar with all the terms used on ASDM side.
Generally speaking the terms you mention mean the following
Normal ACL I assume refers to the ACLs that you are using on the ASA interfaces to control traffic. These ACLs are usually attached in the inbound direction to the ASA interface in which case they control traffic that is coming from network behind that interface towards (inbound) to that interface. In other words they are heading out towards some destination hosts behind a different ASA interface. There is usually no need to define a outbound ACL.
Crypto ACL usually refers to the ACL you define in a L2L VPN configuration to define the local/remote networks of the VPN Connection. This tells the ASA between which networks or hosts traffic should be forwarded through VPN and through which VPN. I guess a Split Tunnel ACL in VPN Client setups could also be called a Crypto ACL but to me it usually refers to L2L VPN connections ACL
ACL Manager I am not completely sure about this. There is a section in the ASDM called this. It seems to me to be the section where you can see all the ACLs configured on your ASA firewall currently. Notice though that not all of the ACLs are necesarily attached to any interface or used in some other role.
With regards to your second question,
The Crypto ACL that is used in the "crypto map" configuration tells the ASA what traffic needs to be forwarded through a VPN connection. You define source network/host and a destination network/host (or multiple of both) which tells the ASA what traffic to forward.
The NAT configuration is not that clear. Most of the time you will configure NAT0 as you might be connecting 2 offices together through the Internet with the help of L2L VPN. Then its natural to configure NAT0 so that your 2 LAN networks can directly communicate using their local IP addresses. In some cases you might on the other hand want to use a public IP address even through the L2L VPN connection. In this case you naturally would not configure NAT0 (unless you actually had a public IP address/subnet in your LAN network) but you would rather define that public IP address as the source in the Crypto ACL.
With regards to your third question,
These 2 different ACLs (if we are talking about interface ACLs and Crypto ACLs) dont really "compete" with each other. When traffic attempts to pass through the ASA the interface ACL is first check. Then the NAT is applied (depends if its configured or not) and after this the traffic is matched against the Crypto ACL.
So lets say you configured a L2L VPN and your aim was to have the LAN networks at both ends connect to eachother with their original IP addresses then you would need a NAT0 configuration to avoid NAT happening. You would also configure the actual local and remote network in the Crypto ACL. Now lets say you forgot to configure NAT0 then your traffic would probably match the Dynamic PAT for Internet traffic. And naturally when this NAT is applied the source address doesnt match the one in the Crypto ACL anymore so the traffic is NOT passed on to the L2L VPN but rather forwarded to the Internet.
With regards to your fourth question,
There are several things that we can check. Naturally you can check the L2L VPN configurations
You first check the Crypto Map configurations with
show run crypto map
Find the section for the correct L2L VPN connection on the basis of the peer IP address for example. (The lines related to one L2L VPN connection always have the same after the Crypto Map name)
Find the following looking CLI configuration line
Then you can check what the ACL has configured with the command
show run access-list
This will tell you what traffic is supposed to be passed through the L2L VPN connection.
To confirm what would happen to a certain packet that is coming from the LAN through ASA towards some remote address you can use the "packet-tracer" command. This will show a VPN Phase if it matches some VPN configuration.
Example commands could be
packet-tracer input inside tcp
packet-tracer input inside udp
packet-tracer input inside icmp
The above are the example commands for some TCP/UDP or ICMP test. The source interface in this case is "inside" where the connecting host would be located at. In your ASA the interface might have a different name,
The Packet Tracer is also available through the ASDM in its top menus.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...