PIX/ASA site-to-site VPN config question

Unanswered Question
Sep 4th, 2007

Do I need to specify the source IP address & mask in my access-list that's referenced in the crypto map "match address" line or can I just say "any"?

If I want to send certain traffic to one tunnel and other traffic to a different tunnel based solely on the destination address, can my access lists look like:

access-list main_tunnel extended permit ip any

access-list other_tunnel extended permit ip any

(and then, obviously, reference the appropriate access list in two different "crypto map" configs.

I'm just wondering because all the examples & templates that I've seen specify both the source & destination IPs but since all my sites just have one subnet on the LAN, I might as well just say "any", right?

Any downside to this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Tue, 09/04/2007 - 14:38

The downside is the other end should be a mirror of the main end.

permit ip any

permit ip any

and you probably don't want that.


This Discussion