L2L VPN question

Unanswered Question
Feb 6th, 2009

Hi,

I have Cisco PIX 515E(8.0.3) and Cisco 5520(8.0.4). Between these devices I made L2L VPN.

Behind Pix1 is LAN 192.168.10.0/24

Behind Pix2 is LAN 10.11.13.0/24

Do I need outside interface ACL's to communicate these LAN's?

Or it's enough to configure crypto ACL

with permit ip ACE's of both side.

Because in official documentation is "The crypto access list does not determine whether to permit or deny traffic through the interface".

But when I disable outside interface ACL's on both devices, the communication still works.

Many thanks.

Vladislav

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pstebner10 Fri, 02/06/2009 - 08:30

The 'sysopt connection permit-vpn' command allows all IPSec related traffic to reach the firewall, in effect bypassing any ACLs on the outside interface. I believe this is enabled by default on v8. If you require more granular control over your VPN clients, you can disable this with the 'no sysopt connection permit-vpn' command and then setup access lists. You will need to allow ports 50,51 and 500 explicitly if you do this.

HTH,

Paul

valsidalv Fri, 02/06/2009 - 12:13

So, if I have "sysopt connection permit-vpn" enabled, access control inside L2L VPN is only done with crypto map access list?

Because this doesn't work for me. I must allow communication from 10.11.13.0/24 to 192.168.10.0/24 in interface ACL(I can see hits in ACE's), not only in crypto map ACL(I can't see hits in crypto map ACE's).

Thanks,

Vladislav

pstebner10 Fri, 02/06/2009 - 13:16

Vladislav-

The sysopt command allows IPSec traffic that terminates at your outside interface to come through it but not through any other interface on the FW - that has to be explicity defined in ACLs.

Also, if you are allowing traffic from the private networks to communicate, i.e. not PATing them to at the outside interfaces, then you will also need ACLs to bypass NAT. So you would have something like this on the FW that contains the 10.11.13.0/24 subnet:

access-list Inside_IN extended permit ip 192.168.10.0 255.255.255.0 any

access-list L2LVPN_NONAT extended permit ip 10.11.13.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (inside) 0 access-list L2LVPN_NONAT

access-group Inside_IN in interface inside

and the opposite on the other firewall.

HTH,

Paul

Actions

This Discussion