Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
241
Views
0
Helpful
1
Replies

PIX/ASA site-to-site VPN config question

thomasdzubin
Level 1
Level 1

‎09-04-2007 02:06 PM - edited ‎02-21-2020 03:15 PM

Do I need to specify the source IP address & mask in my access-list that's referenced in the crypto map "match address" line or can I just say "any"?

If I want to send certain traffic to one tunnel and other traffic to a different tunnel based solely on the destination address, can my access lists look like:

access-list main_tunnel extended permit ip any 192.168.1.0 255.255.255.0

access-list other_tunnel extended permit ip any 192.168.2.0 255.255.255.0

(and then, obviously, reference the appropriate access list in two different "crypto map" configs.

I'm just wondering because all the examples & templates that I've seen specify both the source & destination IPs but since all my sites just have one subnet on the LAN, I might as well just say "any", right?

Any downside to this?

Labels:
0 Helpful
1 Reply 1

acomiskey
Level 10
Level 10

‎09-04-2007 02:38 PM

The downside is the other end should be a mirror of the main end.

permit ip 192.168.1.0 255.255.255.0 any

permit ip 192.168.2.0 255.255.255.0 any

and you probably don't want that.

0 Helpful
Customers Also Viewed These Support Documents