Reg. Crypto ACL query for S2S/RA VPN

Unanswered Question
Apr 22nd, 2008
User Badges:

Hi all / husycisco


Cnsider the following config for s2s vpn


access-list outside_cryptomap_140 extended permit ip host 10.81.34.59 host 10.100.8.3

access-list outside_cryptomap_140 extended permit ip host 10.10.49.30 10.100.8.0 255.255.255.0


My query is instead of using IP based Crypto ACL , can i configure it TCP based ?I have tried doing the same ; however no success.If we cannot do it is there any specific reason for the same ?


The reason for this query is all auditors pinpoint as to why the IP based ACL is given . Any help for teh same will be appreciated.


Regards

Ankur

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Tue, 04/22/2008 - 13:11
User Badges:
  • Gold, 750 points or more

Hi Ankur,

By specifying a port in any ACL that is a network ACL instead a restriction ACL, like NAT ACLs, interesting traffic ACLs, tunnel ACLs, you are making the device to check the port portion of each packet during "routing", which is not permitted in Cisco firewall appliences, since that would decrease the performance slightly for a stateful firewall. You should have got a warning "Warning port specified in bla bla will slightly decrease bla bla" I cant remember the exact phrase whenever you try to do this.

Regards

Actions

This Discussion