Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-Site VPN question

Hi,I was working on L2L VPN config,and had some doubt

 

Now,the default hierarchy of how a Policy is applied for RA VPN goes - Dynamic Access Policy ,User Profile Policy,Specific Group Policy for that User,Connection Profile Group Policy,Default Group Policy.I am not sure if such hierarchy applies to L2L VPN.

 

I have a Crypto ACL name outside_crypto_10 .And under Tunnel-group i have Group-Policy called TEST_FILTER .And under that Group-Policy i have a vpn-filter value TEST_FILTER.

 

My question is,when the traffic is generated which matches the outside_crypto_10 ACL ,it will go via tunnel.

  1. If the traffic doesn't match anything in outside_crypto_10 ACL ,will it look that under vpn-filter "TEST_FILTER" ?
  2. If yes, in what direction should we have the ACL in "TEST_FILTER" defined,like access-list TEST_FILTER extended permit ip (Internal Network )  (Peer End Network) or vice-versa access-list TEST_FILTER extended permit ip  (Peer End Network) (Internal Network ) .
  3. Should we be needing the Interface ACL,no NAT,Outside ACL.
  4. Also i read in the hierarchy of how a Policy is applied for RA VPN ,if it finds a matching parameter it will by-pass the parameters under it for that. Like if it finds a matching Dynamic Access Policy for a User,it will not look it again under User Profile Policy,Specific Group Policy for that User,Connection Profile Group Policy,Default Group Policy . So will such case happen with the L2L VPN ? Like if it finds a Crypto ACL ,will it bypass the TEST_FILTER or will consider that too ?

 

crypto map outside_map 10 match address outside_crypto_10
crypto map outside_map 10 set pfs 
crypto map outside_map 10  set peer 2.2.2.2
crypto map outside_map 10 set ikev1 transform-set aes-256-sha
crypto map outside_map 10 set security-association lifetime seconds 3600
`
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
 default-group-policy TEST_FILTER
tunnel-group 2.2.2.2 ipsec-attributes
 ikev1 pre-shared-key *****
 
group-policy TEST_FILTER internal
group-policy TEST_FILTER attributes
 vpn-filter value TEST_FILTER
3 REPLIES

Hi,Please find the

Hi,

Please find the clarification for your queries.

  • If the traffic doesn't match anything in outside_crypto_10 ACL ,will it look that under vpn-filter "TEST_FILTER"

Ans: The vpn-filter is applied to post-decrypted traffic after it exits a tunnel and pre-encrypted traffic before it enters a tunnel. When a vpn-filter is applied to a group-policy that governs an L2L VPN connection, the ACL must be configured with the remote network in the src_ip position of the ACL and the local network in the dest_ip position of the ACL.

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#configs

  • If yes, in what direction should we have the ACL in "TEST_FILTER" defined,like access-list TEST_FILTER extended permit ip (Internal Network )  (Peer End Network) or vice-versa access-list TEST_FILTER extended permit ip  (Peer End Network) (Internal Network ) .

Ans:Yes.  It will be on inbound direction as  said in my previous answer. But i can also be bi-directional if needed.

  • Should we be needing the Interface ACL,no NAT,Outside ACL.

Ans: Interface ACL's can be skipped by issuing sysopt connection permit-vpn.

No-NAT ACL is must in case if we are using communication between private network LAN's.

  • Also i read in the hierarchy of how a Policy is applied for RA VPN ,if it finds a matching parameter it will by-pass the parameters under it for that. Like if it finds a matching Dynamic Access Policy for a User,it will not look it again under User Profile Policy,Specific Group Policy for that User,Connection Profile Group Policy,Default Group Policy . So will such case happen with the L2L VPN ? Like if it finds a Crypto ACL ,will it bypass the TEST_FILTER or will consider that too ?

Ans: It considers both and VPN filters are widely used to restrict on port based communication between sites.

 

 

Regards

Karthik

New Member

Thankyou nkarthikeyan for

Thankyou nkarthikeyan for your reply.

 

So,you mean first it will use the Crypto ACL outside_crypto_10 ACL to travel through the Tunnel.

Once it reaches the ASA ,it will be restricted by the  vpn filter TEST_FILTER.

 

So ,if this is the case,I guess best setup would be to allow ip traffic in Crypto ACL,and restrict on Ports in the vpn filter .

 

Yeah... You are right....

Yeah... You are right....

 

Regards

Karthik

43
Views
0
Helpful
3
Replies