Reg. Crypto ACL query for S2S/RA VPN

Unanswered Question
Apr 22nd, 2008
User Badges:

Hi all / husycisco

Cnsider the following config for s2s vpn

access-list outside_cryptomap_140 extended permit ip host host

access-list outside_cryptomap_140 extended permit ip host

My query is instead of using IP based Crypto ACL , can i configure it TCP based ?I have tried doing the same ; however no success.If we cannot do it is there any specific reason for the same ?

The reason for this query is all auditors pinpoint as to why the IP based ACL is given . Any help for teh same will be appreciated.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
husycisco Tue, 04/22/2008 - 13:11
User Badges:
  • Gold, 750 points or more

Hi Ankur,

By specifying a port in any ACL that is a network ACL instead a restriction ACL, like NAT ACLs, interesting traffic ACLs, tunnel ACLs, you are making the device to check the port portion of each packet during "routing", which is not permitted in Cisco firewall appliences, since that would decrease the performance slightly for a stateful firewall. You should have got a warning "Warning port specified in bla bla will slightly decrease bla bla" I cant remember the exact phrase whenever you try to do this.



This Discussion