Consider the following Phase 2 parameters of a VPN .The issue is i need to give clear text access-list too along with the normal Crypto ACL and NONAT ACL .Iam not able to find out the reason for the same
crypto map outside_map 140 match address outside_cryptomap_140
crypto map outside_map 140 set peer 65.127.X.X
crypto map outside_map 140 set transform-set ESP-3DES-SHA
access-list appdmz_access_in extended permit ip host 10.81.34.59 host 10.100.8.3
Query : In a Site to Site VPN ideally only Crypto ACL (Interesting traffic ACL ) and NO NAT ACL is required . However in some of the VPN Scenarios Clear text ACL is also required without which even after the tunnel is up , devices are unreachable and it will give a following error .
âConnection denied by webdmz_access_inâ
Please let me know the following
1)Is it really required
2)If not , what are those scenarios in which it needs to be given
As you know, traffic from a higher security interface to a lower security interface is permit by default. That means if there is no access-list applied to the higher security leved interface, traffic will be permit. It is not really required.
But in some firewall implementations, security admins apply access-list to that higher security leveled interface to filter traffic originated from inside, the trusted users. In this case, they permit specific traffic, then a deny any any in the end. Since the traffic is filtered, you have to specifically permit the tunnel traffic.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :