Crypto Maps and Access Rule

Answered Question
Apr 16th, 2008
User Badges:

When I create a crypto map, do I still need to create an access list rule for it? Or anything on the cryptomap will be enrypted and I don't need to create an access rule?

Correct Answer by cisco24x7 about 9 years 3 months ago

if you have "sysopt connection permit-ipsec" in the configuration, IPSec traffics will bypass

the access rule ACL you applied to the

interface.


The work around is to disable with "no sysopt

connection permit-ipsec" and let the ACL do

the work for you.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Jon Marshall Wed, 04/16/2008 - 23:45
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Could you clarify what you mean. Without an access-list the crypto map doesn't know what traffic to encrypt.


Jon

bauti1428 Thu, 04/17/2008 - 05:55
User Badges:

On the ASA when you create a site to site, you create a crypto map and you setup what traffic to encrypt it looks like an access rule. What I noticed was that I'm seeing it from the access rule that it was being blocked but the enrypted traffic seems to be still working. I opened up certain ports to allow on one of our site to site and I configured that in the crypto map rule.

Correct Answer
cisco24x7 Thu, 04/17/2008 - 06:15
User Badges:
  • Silver, 250 points or more

if you have "sysopt connection permit-ipsec" in the configuration, IPSec traffics will bypass

the access rule ACL you applied to the

interface.


The work around is to disable with "no sysopt

connection permit-ipsec" and let the ACL do

the work for you.



bauti1428 Thu, 04/17/2008 - 06:24
User Badges:

How do I find out if sysopt connection permit-ipsec is enable or not? Also in our ASA I don't have permit-ipsec on permit-vpn unless they are the same.

Actions

This Discussion