04-16-2008 09:16 AM - edited 03-11-2019 05:32 AM
When I create a crypto map, do I still need to create an access list rule for it? Or anything on the cryptomap will be enrypted and I don't need to create an access rule?
Solved! Go to Solution.
04-17-2008 06:15 AM
if you have "sysopt connection permit-ipsec" in the configuration, IPSec traffics will bypass
the access rule ACL you applied to the
interface.
The work around is to disable with "no sysopt
connection permit-ipsec" and let the ACL do
the work for you.
04-16-2008 11:45 PM
Could you clarify what you mean. Without an access-list the crypto map doesn't know what traffic to encrypt.
Jon
04-17-2008 05:55 AM
On the ASA when you create a site to site, you create a crypto map and you setup what traffic to encrypt it looks like an access rule. What I noticed was that I'm seeing it from the access rule that it was being blocked but the enrypted traffic seems to be still working. I opened up certain ports to allow on one of our site to site and I configured that in the crypto map rule.
04-17-2008 06:15 AM
if you have "sysopt connection permit-ipsec" in the configuration, IPSec traffics will bypass
the access rule ACL you applied to the
interface.
The work around is to disable with "no sysopt
connection permit-ipsec" and let the ACL do
the work for you.
04-17-2008 06:24 AM
How do I find out if sysopt connection permit-ipsec is enable or not? Also in our ASA I don't have permit-ipsec on permit-vpn unless they are the same.
04-17-2008 04:20 PM
show running-config sysopt
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s6.html#wp1371596
HTH (pls rate)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: