Solved: Crypto Maps and Access Rule

bauti1428 · ‎04-16-2008

When I create a crypto map, do I still need to create an access list rule for it? Or anything on the cryptomap will be enrypted and I don't need to create an access rule?

cisco24x7 · ‎04-17-2008

if you have "sysopt connection permit-ipsec" in the configuration, IPSec traffics will bypass

the access rule ACL you applied to the

interface.

The work around is to disable with "no sysopt

connection permit-ipsec" and let the ACL do

the work for you.

View solution in original post

Jon Marshall · ‎04-16-2008

Could you clarify what you mean. Without an access-list the crypto map doesn't know what traffic to encrypt.

Jon

bauti1428 · ‎04-17-2008

On the ASA when you create a site to site, you create a crypto map and you setup what traffic to encrypt it looks like an access rule. What I noticed was that I'm seeing it from the access rule that it was being blocked but the enrypted traffic seems to be still working. I opened up certain ports to allow on one of our site to site and I configured that in the crypto map rule.

cisco24x7 · ‎04-17-2008

if you have "sysopt connection permit-ipsec" in the configuration, IPSec traffics will bypass

the access rule ACL you applied to the

interface.

The work around is to disable with "no sysopt

connection permit-ipsec" and let the ACL do

the work for you.

bauti1428 · ‎04-17-2008

How do I find out if sysopt connection permit-ipsec is enable or not? Also in our ASA I don't have permit-ipsec on permit-vpn unless they are the same.

ROBERTO TACCON · ‎04-17-2008

show running-config sysopt

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s6.html#wp1371596

HTH (pls rate)