PIX Site to Site VPN Issue

Unanswered Question
Apr 10th, 2008
User Badges:

Consider the following Phase 2 parameters of a VPN .The issue is i need to give clear text access-list too along with the normal Crypto ACL and NONAT ACL .Iam not able to find out the reason for the same


crypto map outside_map 140 match address outside_cryptomap_140

crypto map outside_map 140 set peer 65.127.X.X

crypto map outside_map 140 set transform-set ESP-3DES-SHA


a)Crytpo ACL


access-list outside_cryptomap_140 extended permit icmp host 10.10.49.30 host 10.200.253.8

access-list outside_cryptomap_140 extended permit ip host 10.81.34.59 host 10.100.8.3

access-list outside_cryptomap_140 extended permit ip host 10.10.49.30 10.100.8.0 255.255.255.0


b)NO NAT ACL


access-list webdmz_outbound_nat0_acl extended permit ip host 10.10.49.30 host 10.200.253.8

access-list webdmz_outbound_nat0_acl extended permit ip host 10.10.49.30 10.100.8.0 255.255.255.0

access-list appdmz_outbound_nat0_acl extended permit ip host 10.81.34.59 host 10.100.8.3


c)Clear text ACL


access-list webdmz_access_in extended permit tcp host 10.10.49.30 10.100.8.0 255.255.255.0 eq ssh

access-list webdmz_access_in extended permit icmp host 10.10.49.30 host 10.200.253.8

access-list appdmz_access_in extended permit ip host 10.81.34.59 host 10.100.8.3



Query : In a Site to Site VPN ideally only Crypto ACL (Interesting traffic ACL ) and NO NAT ACL is required . However in some of the VPN Scenarios Clear text ACL is also required without which even after the tunnel is up , devices are unreachable and it will give a following error .



“Connection denied by webdmz_access_in”


Please let me know the following


1)Is it really required

2)If not , what are those scenarios in which it needs to be given


Regards

Ankur

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Thu, 04/10/2008 - 06:45
User Badges:
  • Gold, 750 points or more

Hi Ankur,

As you know, traffic from a higher security interface to a lower security interface is permit by default. That means if there is no access-list applied to the higher security leved interface, traffic will be permit. It is not really required.

But in some firewall implementations, security admins apply access-list to that higher security leveled interface to filter traffic originated from inside, the trusted users. In this case, they permit specific traffic, then a deny any any in the end. Since the traffic is filtered, you have to specifically permit the tunnel traffic.


Regards

Actions

This Discussion