Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
212
Views
0
Helpful
1
Replies

Reg. Crypto ACL query for S2S/RA VPN

ankurs2008
Level 1
Level 1

‎04-22-2008 01:03 PM

Hi all / husycisco

Cnsider the following config for s2s vpn

access-list outside_cryptomap_140 extended permit ip host 10.81.34.59 host 10.100.8.3

access-list outside_cryptomap_140 extended permit ip host 10.10.49.30 10.100.8.0 255.255.255.0

My query is instead of using IP based Crypto ACL , can i configure it TCP based ?I have tried doing the same ; however no success.If we cannot do it is there any specific reason for the same ?

The reason for this query is all auditors pinpoint as to why the IP based ACL is given . Any help for teh same will be appreciated.

Regards

Ankur

Labels:
0 Helpful
1 Reply 1

husycisco
Level 7
Level 7

‎04-22-2008 01:11 PM

Hi Ankur,

By specifying a port in any ACL that is a network ACL instead a restriction ACL, like NAT ACLs, interesting traffic ACLs, tunnel ACLs, you are making the device to check the port portion of each packet during "routing", which is not permitted in Cisco firewall appliences, since that would decrease the performance slightly for a stateful firewall. You should have got a warning "Warning port specified in bla bla will slightly decrease bla bla" I cant remember the exact phrase whenever you try to do this.

Regards

0 Helpful
Customers Also Viewed These Support Documents