Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
422
Views
0
Helpful
6
Replies

VPN Tunnel Access

cobrien
Level 1
Level 1

‎01-28-2003 08:13 AM - edited ‎02-21-2020 12:18 PM

We have brought up a vpn tunnel between a PIX 520 and a 3000 concentrator. There is an access-list bound to the inside interface (in) of the pix. In order to allow traffic over the tunnel we are forced to add entries to the access list. When a tunnel is configured, should it bypass the access list on the interface and use only the access list referenced in the crypto map statement?

Labels:
0 Helpful
6 Replies 6

thult
Level 1
Level 1

‎01-28-2003 03:27 PM

If you have a access-list bound to the inside interface you would not add the entries regarding the encrypted traffic there.

You only have to add those entries to the access-list that is bound to the crypto map and (if used) to the access-list bound to the NAT 0 statement.

0 Helpful

cobrien
Level 1
Level 1
In response to thult

‎01-28-2003 04:11 PM

Well, that's what I thought and had never seen this issue before but it seems to apply here. Once I add the entries to acl on the inside interface (not the one bound to the crypto map), it starts working. Pretty strange.

0 Helpful

thult
Level 1
Level 1
In response to cobrien

‎01-29-2003 12:34 AM

One thing you should know is that when you are working with PIX:es in VPN-environments and is doing VPN-changes, the PIX sometimes need to be reloaded.

I am 100% sure that you do not have to have the acl on the inside interface, but only in the crypto acl. Try removing the corresponding lines from the inside acl, save and reload the unit.

If you like, you can send the config to me.

0 Helpful

ajagadee
Cisco Employee
Cisco Employee

‎01-29-2003 08:44 PM

Hi,

If I understand you correctly, your config looks something similar to:

crypto map mymap 10 match address 100

access-list 100 permit ip 10.1.1.0 255.255.25.0 10.10.10.0 255.255.255.0

access-group 150 in interface inside

access-list 150 permit ip 10.1.1.0 255.255.25.0 10.2.2.0 255.255.255.0

If the above is the case, then you have to add a statement that permits ip addresses from 10.1.1.x/24 to 10.10.10.x/24 in your access-list 150. Without this statement, the pix will deny the packets with source 10.1.1.x to 10.10.10.x and will not go through the tunnel.

Regards,

Arul

0 Helpful

thult
Level 1
Level 1
In response to ajagadee

‎01-29-2003 11:50 PM

I´m sorry for missleading you. If you have bound a access-list to the inside interface you do of course need to permit the traffic for the other side of the tunnel in that list too.

If you do not have any access-list bound to the inside interface, you dont have to create one and assign it to the interface for the VPN to work, it is just when you akready have one that you have to specify the VPN-traffic in it.

0 Helpful

bswitzer
Level 1
Level 1

‎02-08-2003 11:32 PM

Depends upon (a) static or dynamic access to internet and (b) how you're creating the tunnel.

If dynamic, you can't be using an access list on the pix, for tunneled traffic. Access lists only apply to unencryptrd (public) traffic.

If you're using 'EasyVPN' (vpnc lines) then your access-lists for tunnel traffic are being dynamically created by your 3000 sending down it's policy to the pix.

Don't know how much, if any, that helps you.

Traffic hits the access list associated with it. If tunnelled traffic, it hits the crypto access list, if not, the other.

0 Helpful
Customers Also Viewed These Support Documents