Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Crypto Maps and Access Rule

When I create a crypto map, do I still need to create an access list rule for it? Or anything on the cryptomap will be enrypted and I don't need to create an access rule?

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Crypto Maps and Access Rule

if you have "sysopt connection permit-ipsec" in the configuration, IPSec traffics will bypass

the access rule ACL you applied to the

interface.

The work around is to disable with "no sysopt

connection permit-ipsec" and let the ACL do

the work for you.

5 REPLIES
Hall of Fame Super Blue

Re: Crypto Maps and Access Rule

Could you clarify what you mean. Without an access-list the crypto map doesn't know what traffic to encrypt.

Jon

Community Member

Re: Crypto Maps and Access Rule

On the ASA when you create a site to site, you create a crypto map and you setup what traffic to encrypt it looks like an access rule. What I noticed was that I'm seeing it from the access rule that it was being blocked but the enrypted traffic seems to be still working. I opened up certain ports to allow on one of our site to site and I configured that in the crypto map rule.

Silver

Re: Crypto Maps and Access Rule

if you have "sysopt connection permit-ipsec" in the configuration, IPSec traffics will bypass

the access rule ACL you applied to the

interface.

The work around is to disable with "no sysopt

connection permit-ipsec" and let the ACL do

the work for you.

Community Member

Re: Crypto Maps and Access Rule

How do I find out if sysopt connection permit-ipsec is enable or not? Also in our ASA I don't have permit-ipsec on permit-vpn unless they are the same.

Community Member

Re: Crypto Maps and Access Rule

195
Views
0
Helpful
5
Replies
CreatePlease to create content