×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN Tunnel Access

Unanswered Question

We have brought up a vpn tunnel between a PIX 520 and a 3000 concentrator. There is an access-list bound to the inside interface (in) of the pix. In order to allow traffic over the tunnel we are forced to add entries to the access list. When a tunnel is configured, should it bypass the access list on the interface and use only the access list referenced in the crypto map statement?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
thult Tue, 01/28/2003 - 15:27
User Badges:

If you have a access-list bound to the inside interface you would not add the entries regarding the encrypted traffic there.

You only have to add those entries to the access-list that is bound to the crypto map and (if used) to the access-list bound to the NAT 0 statement.

thult Wed, 01/29/2003 - 00:34
User Badges:

One thing you should know is that when you are working with PIX:es in VPN-environments and is doing VPN-changes, the PIX sometimes need to be reloaded.

I am 100% sure that you do not have to have the acl on the inside interface, but only in the crypto acl. Try removing the corresponding lines from the inside acl, save and reload the unit.

If you like, you can send the config to me.

ajagadee Wed, 01/29/2003 - 20:44
User Badges:
  • Cisco Employee,

Hi,


If I understand you correctly, your config looks something similar to:


crypto map mymap 10 match address 100

access-list 100 permit ip 10.1.1.0 255.255.25.0 10.10.10.0 255.255.255.0


access-group 150 in interface inside

access-list 150 permit ip 10.1.1.0 255.255.25.0 10.2.2.0 255.255.255.0


If the above is the case, then you have to add a statement that permits ip addresses from 10.1.1.x/24 to 10.10.10.x/24 in your access-list 150. Without this statement, the pix will deny the packets with source 10.1.1.x to 10.10.10.x and will not go through the tunnel.


Regards,

Arul




thult Wed, 01/29/2003 - 23:50
User Badges:

I´m sorry for missleading you. If you have bound a access-list to the inside interface you do of course need to permit the traffic for the other side of the tunnel in that list too.

If you do not have any access-list bound to the inside interface, you dont have to create one and assign it to the interface for the VPN to work, it is just when you akready have one that you have to specify the VPN-traffic in it.

bswitzer Sat, 02/08/2003 - 23:32
User Badges:

Depends upon (a) static or dynamic access to internet and (b) how you're creating the tunnel.


If dynamic, you can't be using an access list on the pix, for tunneled traffic. Access lists only apply to unencryptrd (public) traffic.


If you're using 'EasyVPN' (vpnc lines) then your access-lists for tunnel traffic are being dynamically created by your 3000 sending down it's policy to the pix.


Don't know how much, if any, that helps you.


Traffic hits the access list associated with it. If tunnelled traffic, it hits the crypto access list, if not, the other.

Actions

This Discussion