Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL

should we need to apply an access list whcih is created for VPN traffic specifically to an interface

say like we already have an ACL named outside and we created one more for VPN traffic as access-list outside_cryptomap_20_1. should we need to apply this one too..i think yes..

thanks

5 REPLIES
Gold

Re: ACL

Yes, you'll need ACLs (crypto ACLs), to distinguish between which ip traffic to encrypt and send via the VPN tunnel and which traffic not to encrypt. Of course you'll also require nat (inside) 0 statement so that your encrypted traffic does not get nat'ed.

The corresponds to your crypto ACL's.

Does this help? if so, please rate post!

Jay

New Member

Re: ACL

should the crypto ACL applied to an interface..

Gold

Re: ACL

Yes, read the following document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

If you need further help/explanation then let me know, please rate post if it helps you! :)

Jay

Re: ACL

Your crypto ACL is applied to the cryptomap. If you have "sysopt connection permit-ipsec" then you do not need to allow the VPN traffic through the outside ACL. This command is on by default in 7.x but not 6.x.

You do not apply the crypto ACL to an interface.

Gold

Re: ACL

Ooops.. Grant is correct, slight typo on my half, should have read 'no' instead of 'yes'

Have not had my morning coffee!!! But Grant has expalined it to the point.

Jay :o)

89
Views
0
Helpful
5
Replies
CreatePlease login to create content