I'm trying to get my head around building a VPN on an ASA5510.
Can someone explain the reason why the 'Local Network' and 'Remote Network', under 'Protected Networks' (in my head the encryption domains?) can be different to the crypto map (ACL?)?
I'm having to edit a VPN for the new organisation I work for and I have found the Protected Networks are completely different from the crypto map. I thought that these would have to be the same because that's the traffic being encrypted. Is this not the case?
I hope what I'm asking makes sense. Apologies if not.
My main firewall background (admittedly a while ago) is Check Point and I'm struggling with the difference.
Cisco has implemented the RFCs about Phase2 (respectively Child-SA for IKEv2) like this:
An incoming Pase2/Child-SA proposal will be accepted if the offered local/remote idents (encryption domain in Checkpoint speak) are a true subset of the locally configured crypto access-list.
E.g. if the incoming proposal is for a /32 and your local crypto access-list accepts a /24 the proposal is accepted and a "dynamic" IPsecSA (resp. Child-SA) will be created with the smaller range. In my example with a /32.
Now you will see e.g. a remote network with /32 although your access-list has a /24 defined as a destination.
This is well documented and in accordance with RFCs (the original text says something like that about accepting IPsec proposals: "The responder decides").
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...