You must assign a crypto map set to each interface through which IPSec traffic flows. The security appliance supports IPSec on all interfaces. Assigning the crypto map set to an interface instructs the security appliance to evaluate all the traffic against the crypto map set and to use the specified policy during connection or SA negotiation.
Applying a Crypto map to a DMZ is possible. But, it all depends on what your end goal is.
For example, if you are planning to terminate Remote Access VPN Clients on the DMZ interface, then you need to make sure that your default gateway is pointing out through the DMZ unless you know what IP Subnet/Networks that your remote users are going to come from.
If you want to terminate L2L Tunnels on the DMZ, then make sure that your routing for the remote subnets is pointing through the DMZ, so traffic can get routed properly across the VPN Tunnel.
I'm planning to terminate Remote Access VPN Clients on the DMZ interface - i have the cryto-map in my DMZ and i have a default route to my outside interface (because i do not know what is the source). I put a debug of isakmp and ipsec, and nothing happens.
If I apply the crypto map to the outside, it is ok
I put a different security level on the interfaces outside and DMZ / i put the same-security level and in the both cases, does not work.
Not even the ping works, if i try to ping the ip of the interface itself - if i ping to an IP LAN (a PC) in the DMZ already works
As per my previous post, terminating Remote Access VPN Clients on the DMZ with the default route pointing to the outside interface will not work.
If your default route is pointing through the outside interface (which is the case in 99% of the deployment) I think your best bet is to terminate Remote Access VPN Clients on the outside interface and terminate the L2L Connections on the DMZ.
I had a similar plan to terminate IPSEC Remote client VPN connections onto my DMZ interface at 24.222.AAA.1. Unfortunately my outside interface is the default gateway, is not internet addressable and goes onto my internet edge router which does NAT/PAT. Given your post above, I see this will not work as it is configured so I wonder what would happen if I statically forwarded a free internet IP from the internet edge router down to the ASA outside interface 172.16.100.2 and terminated IPSEC there. Is that even possible with something like NAT traversal or the like?
I know the simple answer here will likely be terminate on the edge device but it is not provisioned for that and is already under enough loading.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :