L2L VPN question

Unanswered Question
Feb 6th, 2009
User Badges:


I have Cisco PIX 515E(8.0.3) and Cisco 5520(8.0.4). Between these devices I made L2L VPN.

Behind Pix1 is LAN

Behind Pix2 is LAN

Do I need outside interface ACL's to communicate these LAN's?

Or it's enough to configure crypto ACL

with permit ip ACE's of both side.

Because in official documentation is "The crypto access list does not determine whether to permit or deny traffic through the interface".

But when I disable outside interface ACL's on both devices, the communication still works.

Many thanks.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pstebner10 Fri, 02/06/2009 - 08:30
User Badges:

The 'sysopt connection permit-vpn' command allows all IPSec related traffic to reach the firewall, in effect bypassing any ACLs on the outside interface. I believe this is enabled by default on v8. If you require more granular control over your VPN clients, you can disable this with the 'no sysopt connection permit-vpn' command and then setup access lists. You will need to allow ports 50,51 and 500 explicitly if you do this.



valsidalv Fri, 02/06/2009 - 12:13
User Badges:

So, if I have "sysopt connection permit-vpn" enabled, access control inside L2L VPN is only done with crypto map access list?

Because this doesn't work for me. I must allow communication from to in interface ACL(I can see hits in ACE's), not only in crypto map ACL(I can't see hits in crypto map ACE's).



pstebner10 Fri, 02/06/2009 - 13:16
User Badges:


The sysopt command allows IPSec traffic that terminates at your outside interface to come through it but not through any other interface on the FW - that has to be explicity defined in ACLs.

Also, if you are allowing traffic from the private networks to communicate, i.e. not PATing them to at the outside interfaces, then you will also need ACLs to bypass NAT. So you would have something like this on the FW that contains the subnet:

access-list Inside_IN extended permit ip any

access-list L2LVPN_NONAT extended permit ip

nat (inside) 0 access-list L2LVPN_NONAT

access-group Inside_IN in interface inside

and the opposite on the other firewall.




This Discussion