ASA5510 VPN confusion

sykesaeh · ‎01-08-2014

Hi All,

I'm trying to get my head around building a VPN on an ASA5510.

Can someone explain the reason why the 'Local Network' and 'Remote Network', under 'Protected Networks' (in my head the encryption domains?) can be different to the crypto map (ACL?)?

I'm having to edit a VPN for the new organisation I work for and I have found the Protected Networks are completely different from the crypto map. I thought that these would have to be the same because that's the traffic being encrypted. Is this not the case?

I hope what I'm asking makes sense. Apologies if not.

My main firewall background (admittedly a while ago) is Check Point and I'm struggling with the difference.

Many thanks

Alex

m.kafka · ‎01-09-2014

Cisco has implemented the RFCs about Phase2 (respectively Child-SA for IKEv2) like this:

An incoming Pase2/Child-SA proposal will be accepted if the offered local/remote idents (encryption domain in Checkpoint speak) are a true subset of the locally configured crypto access-list.

E.g. if the incoming proposal is for a /32 and your local crypto access-list accepts a /24 the proposal is accepted and a "dynamic" IPsecSA (resp. Child-SA) will be created with the smaller range. In my example with a /32.

Now you will see e.g. a remote network with /32 although your access-list has a /24 defined as a destination.

This is well documented and in accordance with RFCs (the original text says something like that about accepting IPsec proposals: "The responder decides").

Hope that helps,

MiKa