ASA5505 - supernet crypto ACL
Hello
One of my clients has a corporate network consisting of 4 ASA5505s. The network looks like this:
(HUB, 192.168.9.0/24)
^ ^ ^
^ ^ ^
(speak, 4.0/24) (speak, 8.0/24) (speak, 12.0/24)
Configuration star where we want that all private networks to be able to communicate with each other. Some dynamic l2l other tunnels are static l2l.
I was wondering is it possible for the Tunnel ACL to use great networks?
For example on the rays do something like:
access-list extended 100 permit ip 192.168.4.0 255.255.255.0 192.168.0.0 255.255.0.0
As all of our networks are 192.168.x.x subnets? We want to avoid having to update all the rays, if we introduce another site in the VPN.
And on the hub, something like:
permit to_site1 to access extended list ip 192.168.0.0 255.255.0.0 192.168.4.0 255.255.255.0
permit to_site2 to access extended list ip 192.168.0.0 255.255.0.0 192.168.8.0 255.255.255.0
So, we do not have to add a new site is added to each time access lists?
I was wondering if this would work, or would be considered best practice.
Thanks in advance.
It should work.
Tags: Cisco Security
Similar Questions
-
Cisco asa 9.1: crypto acl - order, order of operations,.
Hello
Let's say we have the following configuration
VPN1 list extended access permitted ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
card crypto mymap 10 correspondence address vpn1
card crypto mymap 10 peers set x.x.x.x
access-list extended 192.168.1.0 ip VPN2 allow 255.255.255.0 10.1.1.0 255.255.255.0
mymap 20 match address vpn2 crypto card
card crypto mymap 20 peers set y.y.y.y
In the above example, what happens if you intend to send a packet to a host on the 10.1.1.x and her counterpart that x.x.x.x is down (not SA).
If Asa will verify that the SA is down or away he starts the process of the next crypto access list according to the sequence number of crypto card? or simply drag the package?
If Asa trial next crypto map entry/crypto acl and that if no matching ACL? Packets are sent as clear text?
Thank you explantion
Peter
Hi Peter,.
This would work if the first tunnel is down and there is not SA for her.
However, it is not recommended to overlap crypto ACL.
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
Hello
It is only important that the entries on a crypto ACL are identical on both ends or the order in which they were seized of questions too? I mean, for example:
At one end:
A-> B
A-> C
On the other hand:
C-> A
B-> A
What is a reason for the failure?
Thank you!
Guido
Guido,
The crypto ACL should be identical, i.e. of the mirror of the other images, but the order is not important.
Kind regards
Arul
* Rate pls if it helps *.
-
Hello
I have a star topology IPSec VPN using a Cisco ASA as the hub and a PIX506e such as the rays.
Two of the rays also have an IPSec VPN between them.
The hub site connects to a WAN.
The sites of two rays have the following ranges
Spoke 1 = 10.154.10.0/24
Spoke 2 = 10.156.10.0/24
Hub = 10.8.0.0/24 site - but also connects to all other addresses in the range 10.0.0.0/8 with a back end WAN connection.
I was looking for a way to 'Nice' configure crypto ACLs so that the traffic between the spokes 1 and 2 would be direct and then everything from 10 would go through the hub site. Rather than try to clear all the subnets in 10.0.0.0/8 except 10.156.10.0/24 & 10.154.10.0/24 in an ACL.
If I order the cryptographic cards on the RADIUS, so the most accurate is first example (the map speaks of talking), then a card encryption to 10.0.0.0/8 for hub is second, it would work?
So we talked 1.
!
allowed to access-list to-speaks-2 ip 10.154.10.0 255.255.255.0 10.156.10.0 255.255.255.0
IP 10.154.10.0 allow Access-list to hub 255.255.255.0 10.0.0.0 255.0.0.0
!
outside_map 100 ipsec-isakmp crypto map
card crypto outside_map 100 match address to-speaks-2
card crypto outside_map 100 peer set 1.2.3.4
transform-set set card crypto outside_map 100 standard
outside_map 200 ipsec-isakmp crypto map
card crypto outside_map 200 correspondence address to hub
peer set card crypto outside_map 200 8.9.10.11
transform-set set outside_map 200 crypto card standard!
Any thoughts?
Yes, reject the order is absolutely supported. Well... I forgot about 'decline' crypto ACL
-
Disable Split Tunneling - SAs are not when I change crypto ACL
Hello!
When I change my ACL Crypto I receive an error message in phase I: "PROPOSAL_NOT_CHOSEN NOTIFIER' of IKE. I do this to disable the ST and get all the hollow tunnel traffic. Please see the config below:
crypto ISAKMP policy 10
md5 hash
preshared authentication
life 3600
ISAKMP crypto key cisco address x.x.x.x
!
!
Crypto ipsec transform-set esp - the esp-hmac-md5 ENCRYPTION
!
crypto map ipsec-isakmp CLIENT 1
defined peer x.x.x.x
game of transformation-CRYPTO
match address 115
!
access-list 115 permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
access-list 115 deny ip any one
I changed the ACL 115 to so I can disable split tunneling, and it looks like this:
access-list 115 permit ip 10.10.10.0 0.0.0.255 any
access-list 115 deny ip any one
What is a failure? I have donthink the crypto ACL must be the same?
OK, you use a card dynamic encryption on your head just as I suggested, so that's fine. What you have done, which is causing your problem (and usually causes more problems than it's worth), is to assign an access list to the dynamic encryption card. It is not necessary, because with a dynamic encryption the router head card accept any model of traffic the remote router sends.
In your case since you changed the remote router to be 'all', it is no longer maps to the 115 ACL on the head and now is failing.
Way easier around it is simply to remove the 'match 115' address card dynamic encryption on the head. This will not affect any of your other tunnels and allow the remote router to establish a tunnel.
The exact commands you would use are as follows:
> crypto dynamic-map PERSONAL 10
> no address for correspondence 115
-
Hello
Any body knows if it s possible to configure the service in crypto ACL?
Something like that:
Crypto list access permit tcp host 1.1.1.1 1.1.1.1 eq 23
How will be the crypto ACL on the other side?
I apologise for the misunderstanding what kind of device you have.
with pix v6.x, you can disable the command "sysopt connection permit-ipsec. When this command is enabled (on by default), pix will ignore any acl with encrypted traffic.
so to disable this command, create an inbound acl, apply the acl to the external interface, and let the No. - nat and crypto such acl what.
for example
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 120 allow ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 111 permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.100 eq 23
(Inside) NAT 0-list of access 101
Access-group 111 in external interface
myvpn 10 ipsec-isakmp crypto map
correspondence address card crypto myvpn 10 120
card crypto myvpn 10 set by peer
card crypto myvpn 10 transform-set RIGHT
-
Site to site VPN ASA2ASA funny crypto ACL behavior
Hello
I use a VPN site-to site between two ASAs. It works but it should not work, in my opinion, there is a bug. The thing is that when I set the traffic is encrypted in an ACL, this traffic is denied and the tunnel doen't work. If I remove the ACL entries, I'm really interested in encryption, it works...
Thus, for example.
I affermirai a tunnel between the two ASAs and specify
access allowed extended VPN ip host 172.16.0.60 list 172.20.24.60
colt_map card crypto 20 matches the VPN address
card crypto test_map 20 peers set 1.1.1.1
test_map crypto 20 card value transform-set TEST
3600 seconds, duration of life card crypto test_map 20 set - the security association
card crypto test_map 20 set security-association life kilobytes 4608000When I have it, there is no traffic allowed between 172.16.0.60 and 172.20.24.60. And when I do:
VPN access list extended deny ip host 172.16.0.60 172.20.24.60
access allowed extended VPN ip host 172.16.0.59 list 172.20.24.59
Can I get a communication between 172.16.0.60 172.20.24.60 of the host, but not between 172.16.0.59 the host 172.20.24.59.
It seems very weird to me. I was wondering if anyone had this behaviour before or she could explain it?
Thanks in advance.
Yes.
In Janan all traffic VPN is not checked against the external ACL because of a single command: sysopt connection permit VPN
You can see if this command is enabled by practice: sh run all the sysopt
If you remove this command: no sysopt permit vpn connection
then, all VPN traffic is checked against the ACL interface (and you can only allow what you need).
A better approach is to let the sysopt connection permit-vpn default and create a vpn-filter ACL that is applied to group policy for tunnel groups you need.
Federico.
-
Hello
I have a some 837 with an IPsec VPN to HQ.
I need to add an additional network to ACL crypto on the 837. Unfortunately, the previous administrator left a refusal at the end of the ACL. So I really need to replace it. I have only a remote with the router connectivity.
On a router to test, I tried to remove the access list (no ip access-list ext vpndst) and then lost all access to the router (inside and outside address). Only a relaod would work.
What is the best way to change the ACL of the Crypto remotely?
Hello
If there is an ACL name, just change it...
SH-access list vpndst (take the deny any any line number)
ext vpndst IP access list
No # (#= line number of the deny)
You can also put your order in a text file and copy them into the flash. After an errand flash copy, it will merge the config.
-
L2l Tunnel between 2POIGNEES: general query on ACL sheep/crypto
Hi all
For the L2L tunnel between 2POIGNEES work very well, we configure normally same network to network - sheep & cryptos ACL on both ends of the SAA. My question is...
It will work without any problem, if on one end of the ASA, the ACL sheep & crypto are combined to form the group object (to limit the ASA configs) and on the other end address net net address ACL sheep & crypto still exists (not consolidated in the Group of objects)... ? If it works, it works even if the tunnel is between ASA--> router.
Thanks in advance
MS
MS, it will work if the other side does not use the same scenario of acl consolidated using groups of objects. ACLs and groups of objects are significant locally on the device.
You can consolidate the ACLs on the ASA/PIX using TCP or UDP-groups of objects or groups of objects network and that your acl to the respective object-group, they always have the same effect as when they have been configured individually line by line.
This works even if the tunnel is between ASA--> router
Yes
HTH
Jorge
-
Possible Crypto overlap and NAT ACL open to the vs host subnet
Hello
For a PIX 515E 6.3 (5)
I have the following ACL:
List of crypto ACL
ipsectraffic list of allowed access host ip 192.168.7.221 object-group pdvcorp-backup3-to-db1-datacenter
ipsectraffic list of allowed access host ip 192.168.7.222 object-group pdvcorp-backup3-to-db1-datacenter
permit ipsectraffic of the object-group corphosts-datacenter 192.168.10.0 ip access list 255.255.255.0
ipsectraffic permit access list ip object-group Productionhosts - data center object-group access-productionhosts-data centerIn the list above Crypto ACL list, hosts, 192.168.7.221 and 192.168.7.222 are both also part of the group 'productionhosts-datacenter"referenced in the same object list ACL. What are the consequences of having the same hosts referenced in the Crypto ACL, if any?
No NAT access list
IP 192.168.7.0 allow Access-list sheep 255.255.255.0 192.168.10.0 255.255.255.0
In regards to the Crypto ACL above, is there a (security wise or another) problem with the opening of the entire subnet with an ACL sheep to save on the duty to nail each host.
Thank you
Dan
It's okay, you can use the same source to multiple destinations. No issues with the sheep.
-
ACL IPSEC - CRYPTO vs Interface
Hello
Where an IOS device is connected to a PIX 6.3, with a VPN IPSec site to site with ipsec connection allowed sysopt
Thinking that it would be simpler to apply the required ACL, I created the ACL crypto to the entire subnet with the thought I would create ACL interface for nailing to specific hosts inside the subnet. I see now that I need to disable the connection of sysopt permit-ipsec for the ACL interface to apply.
1. is it more common for crypto ACL to be more host specific vs specific subnet and the necessary ACL ONLY (with the active sysopt)? I have a true Swiss cheese of the armies on either side of the vpn that need access and I didn't want to maintain such a complicated in meaning OPPOSITE ACL.
2 or it is more common for both - crypto ACL (allow a simpler ACL) then apply ACL interface?
3. I see the issue with the realization of the interface & crypto ACL, there is more that can get sent THEN denied to the remote interface, or even blocked traffic on the local side. If the ACL interface should be used, what is the best practice here?
4. I see the interface that acl work when sysopt allowed ipsec connection is enabled, but only on outbound traffic. Is it because traffic has not struck the crypto ACL again?
Any pointers in the right direction would be appreciated.
Thank you
Dan Foxley
Dan
Much depends on whether the VPN device also acts as a firewall. If this isn't ie. Once the traffic has been decrypted, it is then passed on the firewall then allowed sysopt of active ipsec connection is a logical choice.
In response to your questions, speak from my personal experience-
(1) crypto ACL tend to be more subnet than host-based, but it depends on your specific needs.
(2) Yes, in general the crypto acl is more general, the acl interface is where you attach.
(3) don't know, I followed. If you want to limit this subnet traffic is sent through the tunnel then you would with an acl interface but on a different interface IE. the interface more near the source of the traffic.
(4) it is to do with the order of treatment IE. which is done first. Not really used an acl outgoing on the same interface as endpoint vpn but I suspect you're right.
Note that you do not need to apply the acl on the actual interface the VPN ends, at least with the code v7.x and beyond. You can terminate the VPN on the external interface, and then use an outbound acl on the interface that is sent unencrypted traffic. Yes, that means he has to go through the firewall, but it can make the management of your ACLs easier.
Jon
-
Need to create a different VPN S2S in same ASA5505
Hi Experts,
I need to create the second VPN in ASA5505 even, he already has a VPN in one of our customers. So he already have a transformset, of cryptomap, of politics.
Now, I need to create a new. I like to create a separate transformset and card crypto for this 2nd VPN with a new name to the issues very easily.
But I doubt as may it will affect the current VPN? because it has a different VPN with another tranformset and cryptomap...
So, I have the following questions...
(1) affect the current VPN?
(2) do I need to create a separate tranformset and cryptomap? or with the same tranformset and cryptomap with different number...
If it is possible to create several cryptomap, then I would like to stress that to create...
concerning
Vipin
(1) you must use the same name of card crypto with a number of different order. You cannot use a new name for the crypto map. However, if you want to easily identify the new VPN, just name your game of transformation and crypto ACL with the new name of VPN.
(2) you can use the same set of transformation if the second VPN has the same policy as the first VPN. You certainly have to use the name of cryptomap even with a different sequence number, such that you can not create a new name of cryptomap.
Hope that answers your question.
-
I have two questions that regarding ACL is used in the instructions on the Card Crypto:
1. the two devices VPN should have the same ACE in the ACL? I know that without the second ACE site B below will not see as interesting udp traffic, but the will of the vpn tunnel fails because the ACL is not the same ACE?
That is to say...
Site has
Access-list 110 permit tcp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
Access-list 110 permit udp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
Site B
Access-list 110 permit tcp 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
2. once a tunnel is established it will send ANY/ALL traffic destined to the remote network through this tunnel. If the first ACE in the ACL 110 to Site A list is used to bring up the tunnel, only tcp from to 10.0.2.0/24 10.0.1.0/24 traffic will use the tunnel or all traffic from 10.0.1.0/24 intended for the remote network to cross the tunnel?
I guess my thought is this. The ACL is only used to determine valuable traffic and once the tunnel is up it is a free for all. Or the ACL only allows traffic that meets the criteria specified in the ACL list to flow once the tunnel is established?
Thank you
Brian
Brian,
Your statement
'Or the ACL allows only traffic that meets the criteria specified in the ACL list to flow after the tunnel is established'
Is correct, only the traffic that meets the ACL crypto will go through the vpn tunnel and all other traffic will be denied. If you need UDP traffic to travel through the tunnel, you need crypto ACL on both sides and not only on one side, that is, SITE A.
Hope this helps,
Jay
-
Question card crypto for VPN gateway router
I'm moving my VPN environment at 2811 routers. I move a seller more tomorrow which has two sources who need to connect to each of our IPs, those inside the IPs are NAT had real IPS at the firewall behind the router. I know I'll find out tomorrow, but thought I would see if anyone see a problem with this ACL that is used for the encryption card, is there a problem with multiple sources (50.50.50.1 et.2 in file) connection to the same destinations? The IP addresses in this file are not real output IPs. Thank you.
If I understand you correctly, no it should not be a problem at all. Each entry in your crypto ACLs card will create a separate IPSEC security association pair and there is no overlap.
Let me know if I misunderstood your question.
Jon
-
If I create a card encryption there is the address for correspondence control (acl). My question is; This acl sets the only traffic that is allowed in the tunnel or will other types of traffic that are allowed in the tunnel and all simply not encrypted.
Hi Chris and Daniel,
All traffic authorized by the crypto acl will be led by the IPSec tunnel.
The rest of the traffic will not use the tunnel, but is passed by the link.
"license ip any any" is allowed on crypto as on any other ACL ACL. Its use depends on how you want to define your valuable traffic.
Cheers:
István
Maybe you are looking for
-
I finally decided that I wanted to update to OS El Capitan, but now there is this update of the Sierra and I don't want to jump. I DON'T WANT SIRI ON MY LAPTOP! So I would like to know where I can get a legitimate version of El Capitan thanks!
-
I stopped using Firefox as nothing I've done has corrected this problem. I tried to close Firefox and restart it, I erased all my Add-ons and then added adblock back (it's the only one), but it still does not work. I deleted files so that I have more
-
7520 photosmart e-ALL-IN-ONE seems to send emails from scan successfully, but does not work
The scanner scans and appears to send the email successfully, confirms indeed e-mail was sent but can't
-
reset the sony bravia kdl-46ex523
reset the sony bravia kdl-46ex523
-
BlackBerry Smartphones BLACKBERRY PRIV IS NOT CHARGING
I got this phone 2 days ago. It loads very well yesterday. now, he does not even recognize my charger.