08-23-2014 03:50 AM
Hi,I was working on L2L VPN config,and had some doubt
Now,the default hierarchy of how a Policy is applied for RA VPN goes - Dynamic Access Policy ,User Profile Policy,Specific Group Policy for that User,Connection Profile Group Policy,Default Group Policy.I am not sure if such hierarchy applies to L2L VPN.
I have a Crypto ACL name outside_crypto_10 .And under Tunnel-group i have Group-Policy called TEST_FILTER .And under that Group-Policy i have a vpn-filter value TEST_FILTER.
My question is,when the traffic is generated which matches the outside_crypto_10 ACL ,it will go via tunnel.
08-23-2014 05:39 AM
Hi,
Please find the clarification for your queries.
Ans: The vpn-filter is applied to post-decrypted traffic after it exits a tunnel and pre-encrypted traffic before it enters a tunnel. When a vpn-filter is applied to a group-policy that governs an L2L VPN connection, the ACL must be configured with the remote network in the src_ip position of the ACL and the local network in the dest_ip position of the ACL.
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#configs
Ans:Yes. It will be on inbound direction as said in my previous answer. But i can also be bi-directional if needed.
Ans: Interface ACL's can be skipped by issuing sysopt connection permit-vpn.
No-NAT ACL is must in case if we are using communication between private network LAN's.
Ans: It considers both and VPN filters are widely used to restrict on port based communication between sites.
Regards
Karthik
08-30-2014 04:13 AM
Thankyou nkarthikeyan for your reply.
So,you mean first it will use the Crypto ACL outside_crypto_10 ACL to travel through the Tunnel.
Once it reaches the ASA ,it will be restricted by the vpn filter TEST_FILTER.
So ,if this is the case,I guess best setup would be to allow ip traffic in Crypto ACL,and restrict on Ports in the vpn filter .
08-31-2014 08:49 PM
Yeah... You are right....
Regards
Karthik
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: