04-23-2010 01:18 PM - edited 02-21-2020 04:36 PM
Hello,
On a PIX 515E v.6.3.5.
Are there three ACL lists that can come in to play when configuring an IPSec VPN on a PIX? (I hear a roar of "It depends" )
1. Nat (0) ACL - to NOT nat traffic this is part of the IPSec VPN
2. Crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.
3. ACL - ACL to permit | deny traffic after ACL #1 and #2.
Does #3 "enable IPSec packets to bypass access list blocking" if the "sysopt connection permit-ipsec" command is configured, and ONLY on ACL #3? In other words the sysopt doesn't participate on ACL #1 or 2 listed above?
The mirroring of ACL's, that is suggested (required) for both sides of the IPSec tunnel applies to which ACL?
Thanks,
Dan
Solved! Go to Solution.
04-23-2010 01:33 PM
pdvcisco wrote:
Hello,
On a PIX 515E v.6.3.5.Are there three ACL lists that can come in to play when configuring an IPSec VPN on a PIX? (I hear a roar of "It depends" )
1. Nat (0) ACL - to NOT nat traffic this is part of the IPSec VPN
2. Crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.
3. ACL - ACL to permit | deny traffic after ACL #1 and #2.
Does #3 "enable IPSec packets to bypass access list blocking" if the "sysopt connection permit-ipsec" command is configured, and ONLY on ACL #3? In other words the sysopt doesn't participate on ACL #1 or 2 listed above?
The mirroring of ACL's, that is suggested (required) for both sides of the IPSec tunnel applies to which ACL?
Thanks,
Dan
Dan
It depends
1) Not always used because with a site-to-site VPN sometimes you have to NAT your internal addressing
2) always needed
3) if "sysopt connection permit-ipsec" is configured any acl on the interface where the VPN is terminated is bypassed. If it isn't enabled then once packets are decrypted they are then checked against the acl.
Mirroring of acls is required.
Jon
04-23-2010 01:33 PM
pdvcisco wrote:
Hello,
On a PIX 515E v.6.3.5.Are there three ACL lists that can come in to play when configuring an IPSec VPN on a PIX? (I hear a roar of "It depends" )
1. Nat (0) ACL - to NOT nat traffic this is part of the IPSec VPN
2. Crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.
3. ACL - ACL to permit | deny traffic after ACL #1 and #2.
Does #3 "enable IPSec packets to bypass access list blocking" if the "sysopt connection permit-ipsec" command is configured, and ONLY on ACL #3? In other words the sysopt doesn't participate on ACL #1 or 2 listed above?
The mirroring of ACL's, that is suggested (required) for both sides of the IPSec tunnel applies to which ACL?
Thanks,
Dan
Dan
It depends
1) Not always used because with a site-to-site VPN sometimes you have to NAT your internal addressing
2) always needed
3) if "sysopt connection permit-ipsec" is configured any acl on the interface where the VPN is terminated is bypassed. If it isn't enabled then once packets are decrypted they are then checked against the acl.
Mirroring of acls is required.
Jon
04-23-2010 01:37 PM
Jon,
Thanks, that get me mostly there. For the last question. Which ACL "must" be mirrored, it is inferred by your answer, only the second ACL must be mirrored, and only that one matters to the actual IPSec VPN - the VPN doesn't even know of the other ACL's, correct?
Dan
04-23-2010 01:39 PM
Dan
Correct, only crypto acls need to mirror each other because it this acl that is used to determine what the peers think are the remote and local subnets.
Jon
04-23-2010 03:07 PM
Thanks Jon! That was just what I needed, perfect.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide