cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
615
Views
0
Helpful
5
Replies

Crypto Maps and Access Rule

bauti1428
Level 1
Level 1

When I create a crypto map, do I still need to create an access list rule for it? Or anything on the cryptomap will be enrypted and I don't need to create an access rule?

1 Accepted Solution

Accepted Solutions

if you have "sysopt connection permit-ipsec" in the configuration, IPSec traffics will bypass

the access rule ACL you applied to the

interface.

The work around is to disable with "no sysopt

connection permit-ipsec" and let the ACL do

the work for you.

View solution in original post

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

Could you clarify what you mean. Without an access-list the crypto map doesn't know what traffic to encrypt.

Jon

On the ASA when you create a site to site, you create a crypto map and you setup what traffic to encrypt it looks like an access rule. What I noticed was that I'm seeing it from the access rule that it was being blocked but the enrypted traffic seems to be still working. I opened up certain ports to allow on one of our site to site and I configured that in the crypto map rule.

if you have "sysopt connection permit-ipsec" in the configuration, IPSec traffics will bypass

the access rule ACL you applied to the

interface.

The work around is to disable with "no sysopt

connection permit-ipsec" and let the ACL do

the work for you.

How do I find out if sysopt connection permit-ipsec is enable or not? Also in our ASA I don't have permit-ipsec on permit-vpn unless they are the same.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: