Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX Site to Site VPN Issue

Consider the following Phase 2 parameters of a VPN .The issue is i need to give clear text access-list too along with the normal Crypto ACL and NONAT ACL .Iam not able to find out the reason for the same

crypto map outside_map 140 match address outside_cryptomap_140

crypto map outside_map 140 set peer 65.127.X.X

crypto map outside_map 140 set transform-set ESP-3DES-SHA

a)Crytpo ACL

access-list outside_cryptomap_140 extended permit icmp host 10.10.49.30 host 10.200.253.8

access-list outside_cryptomap_140 extended permit ip host 10.81.34.59 host 10.100.8.3

access-list outside_cryptomap_140 extended permit ip host 10.10.49.30 10.100.8.0 255.255.255.0

b)NO NAT ACL

access-list webdmz_outbound_nat0_acl extended permit ip host 10.10.49.30 host 10.200.253.8

access-list webdmz_outbound_nat0_acl extended permit ip host 10.10.49.30 10.100.8.0 255.255.255.0

access-list appdmz_outbound_nat0_acl extended permit ip host 10.81.34.59 host 10.100.8.3

c)Clear text ACL

access-list webdmz_access_in extended permit tcp host 10.10.49.30 10.100.8.0 255.255.255.0 eq ssh

access-list webdmz_access_in extended permit icmp host 10.10.49.30 host 10.200.253.8

access-list appdmz_access_in extended permit ip host 10.81.34.59 host 10.100.8.3

Query : In a Site to Site VPN ideally only Crypto ACL (Interesting traffic ACL ) and NO NAT ACL is required . However in some of the VPN Scenarios Clear text ACL is also required without which even after the tunnel is up , devices are unreachable and it will give a following error .

“Connection denied by webdmz_access_in”

Please let me know the following

1)Is it really required

2)If not , what are those scenarios in which it needs to be given

Regards

Ankur

1 REPLY

Re: PIX Site to Site VPN Issue

Hi Ankur,

As you know, traffic from a higher security interface to a lower security interface is permit by default. That means if there is no access-list applied to the higher security leved interface, traffic will be permit. It is not really required.

But in some firewall implementations, security admins apply access-list to that higher security leveled interface to filter traffic originated from inside, the trusted users. In this case, they permit specific traffic, then a deny any any in the end. Since the traffic is filtered, you have to specifically permit the tunnel traffic.

Regards

102
Views
0
Helpful
1
Replies
CreatePlease login to create content