Cisco Cisco ASA for Nexus 1000V Series Switch Manual Técnica

Note: This scenario worked in the past, but after an upgrade of the headend ASA to Version 8.4(6) or later,
the VPN client is no longer be able to establish the connection.

Cisco bug ID CSCuc75090 introduced a behavior change. Previously, with the Private Internet Exchange
(PIX), when the Internet Protocol Security (IPSec) proxy did not match a crypto−map Access Control List
(ACL), it continued to check entries further down the list. This included matches with a dynamic crypto−map
with no peer specified.

This was considered a vulnerability, as remote administrators could gain access to resources that the headend
administrator did not intend when the static L2L was configured.

A fix was created that added a check in order to prevent matches with a crypto−map entry without a peer
when it already checked a map entry that matched the peer. However, this affected the scenario that is
discussed in this document. Specifically, a remote VPN client that attempts to connect from a L2L peer
address is not able to connect to the headend.

Use this section in order to configure the ASA in order to allow a remote VPN client connection from a L2L
peer address.

In order to allow remote VPN connections from L2L peer addresses, you must add a new dynamic entry that
contains the same peer IP address.

Note: You must also leave another dynamic entry without a peer so that any client from the internet can
connect as well.

Here is an example of the previous dynamic crypto−map working configuration:

crypto dynamic−map ra−dyn−map 10 set ikev1 transform−set ESP−AES−128−SHA

crypto map outside_map 1 match address outside_cryptomap_1