IOS Site-To-Site VPN Questions

_maurice_maurice Member Posts: 142
Hi there! I have a site-to-site vpn between an 871 running 12.4 and an ASA 5505 running 8.2. The 871 LAN is and the ASA 5505 LAN is I currently trust all traffic over the vpn tunnel between the two LANs. Since the 871 is using the zone-based-firewall, I had to create inspection rules in the wan-to-lan policy to allow ip traffic from the remote LAN.

The problem is that allowing all ip traffic from the network to the network from wan-to-lan is a large security risk. This opens the 871 to allow ip traffic from a spoofed source address (in the subnet) to come into my LAN.

I am posting my relevant config below. Per a cisco document, a workaround would be to use a vpn tunnel type that uses a virtual tunnel interface (VTI). However, I don't think the ASA supports that.

class-map type inspect match-all remote-lan-class
match access-group name remote-lan
class-map type inspect match-any wan-to-self-class
match access-group name wan-in
policy-map type inspect wan-to-lan-policy
class type inspect remote-lan-class
class class-default
policy-map type inspect wan-to-self-policy
class type inspect wan-to-self-class
class class-default
drop log
zone-pair security wan-to-lan source wan destination lan
service-policy type inspect wan-to-lan-policy
zone-pair security wan-to-self source wan destination self
service-policy type inspect wan-to-self-policy
ip access-list extended remote-lan
permit ip
ip access-list extended wan-in
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
deny ip any any

The cisco documentation relating to this issue is here: Using VPN with Zone-Based Policy Firewall [Cisco IOS Firewall] - Cisco Systems

Can someone please confirm the security risk I mention? Is using an Easy VPN the only solution, as this uses a VTI?


  • _maurice_maurice Member Posts: 142
    As a follow up to my post last week...

    I think the "security risk" I mentioned earlier doesn't exist. My understanding is that since the crypto map is applied to the outside interface, the interface will only accept this "interesting traffic" when it is encrypted... If the "interesting traffic" does not match the crypto map, it gets dropped.
Sign In or Register to comment.