Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL of "permit ip any any" over site-to-site VPN with PIX?

Can anyone tell me if it is possible to use an ACL of "permit ip any any" to tunnel all external traffic from one site to another on the PIX units, with ACL and NAT examples?

Currently, my ACL and NAT config are as follows:

access-list 140 permit ip 9.26.198.0 255.255.254.0 9.26.192.0 255.255.252.0

access-list 25 permit ip any any

nat (inside) 0 access-list 25

nat (inside) 0 9.26.198.0 255.255.254.0 0 0

(the other PIX basically mirrors this config)

This works fine, and a tunnel is properly built. Now, when I replace ACL 140 with "permit ip any any", I can't get a full tunnel established (looks like phase1 happens, but phase2 doesn't), even if I try and ping a host on the other network (ie. 9.26.192.x). I get the exact same behavior if I try and ping/ftp/etc a host external to the two networks (eg. 12.12.12.12). Does there need to be some sort of corresponding ACL change to the other PIX? A different NAT statement? Just won't work, no matter what I do?

I realize that Cisco recommends against using an ACL of "permit ip any any" to tunnel all traffic to another PIX, but if this is possible, it would save us around 100 config lines per PIX unit (with 6 sites total).

Any help would be appreciated.

1 REPLY
New Member

Re: ACL of "permit ip any any" over site-to-site VPN with PIX?

Try this

access-list 140 permit ip 9.26.198.0 255.255.254.0 any

access-list 25 permit ip 9.26.198.0 255.255.254.0 any

mirrored on the other side.

Hope this helps

329
Views
0
Helpful
1
Replies
CreatePlease login to create content