ipsec crypto-map versus acl

I'm creating an ipsec tunnel between 2 asas.    I realize that the crypto map specifies the traffic that is being encrypted between the 2 local subnets?  but I do have to create a separate access list don't I?   This is going to be an ipsec between my company and a recently acquired company.  so the subnet we have acquired will only have access to specified ports on certain ips on our network.    The crypto map wouldn't have anything to do with that would it?  i would need an additional acl to specify this traffic?
techlindenAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
The crypto map defines how to encrypt the traffic.  The ACL defines which traffic should be encrypted.
arnoldCommented:
Adding to craigbeck comments
And allowed through to the other side.
in your scenario, you would not add the ACL that defines the traffic to be encrypted into the nonat rule given your stated limitation.
You would need to use the nat (inside) 1 ACL_specifically_defining_which_resources_remote_LAN_users_can_access.

There should be two or three ACLs.
One defines the traffic to be encrypted and sent via the VPN tunnel here you have a choice one whether to encrypt all interlan traffic enforcing the access via the next acl when it arrives on the ASA, or whether your VPN specifically outlines only the access allowed through the VPN.
On one end defining the direction what traffic from the remote side is accepted, on the other if HQ has full access to the remote, add the acl to the nonat rule i.e. any traffic from the VPN on the HQ LAN will not be subject to any filtering rules.
techlindenAuthor Commented:
I'm still a little confused.     we're running asa version 9.2.    I created a nat exemption rule for the traffic but i don't see where i would add an acl to the rule?      If i go to ipsec in the asdm i see the access rule for the crypto under the acl manager but i don't see it under general access lists.  I guess the question is do i also need something under access lists to enable traffic between the 2 networks in addition to the cyrpto maps.
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

techlindenAuthor Commented:
I think i may have found the answer.....



The answer is where we use the ACL, and that determines the name.
 
Let's create ACL 101 that permits IP traffic from the 10.0.0.0/8 network to 172.16.0.0/16 network, and permits nothing else.
 
If we apply ACL 101 to an interface for filtering, that is exactly what it is, a filter that will only allow that traffic through the interface it is applied to, based on the traffic matching the permit in the ACL.
 
If we apply the same ACL as part of our crypto-map in IPSec, then that same ACL 101 is now called a crypto acl.   The purpose of the ACL in this case is to identify what traffic should be encrypted, specifically any traffic from 10.0.0.0/8 to 172.16.0.0/16 (in our example).
arnoldCommented:
Did you add a rule that deals with LAN1 to LAN2 traffic as a nonat nat (inside) 0 nonat?
This setup exempts any traffic in the nonat ACL from being subjected to any restrictions.

The crypto map provides as craig pointed out the encryption portion of the tunnel. An ACL is used to specify the traffic that must be matched for it to enter the traffic.
i.e. the ACL functions as a verification that the packet has the correct/valid ticket to enter the tunnel.
An ACL on the other side verifies that the packet has the right to exit the tunnel.
The identifiers are the source of the packet and destination of  the packet.  This can be either or both have to be true. i.e. only one IP has rights to access only one IP on the other side.


Are you using CLI or ASDM to set them up?

Here is a graphical guide for the setup with the explanations that may help.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113486-ikev2-s2s-tunnel-00.html

There are many examples available on cisco's sites as well as on the net at large.
arnoldCommented:
An ACL is an ACL.
The application of the ACL on an interface (by direction in or out) as well as as part of a VPN tunnel will dictate how a packet will be treated.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.