Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

PIX/ASA site-to-site VPN config question

Do I need to specify the source IP address & mask in my access-list that's referenced in the crypto map "match address" line or can I just say "any"?

If I want to send certain traffic to one tunnel and other traffic to a different tunnel based solely on the destination address, can my access lists look like:

access-list main_tunnel extended permit ip any 192.168.1.0 255.255.255.0

access-list other_tunnel extended permit ip any 192.168.2.0 255.255.255.0

(and then, obviously, reference the appropriate access list in two different "crypto map" configs.

I'm just wondering because all the examples & templates that I've seen specify both the source & destination IPs but since all my sites just have one subnet on the LAN, I might as well just say "any", right?

Any downside to this?

1 REPLY
Green

Re: PIX/ASA site-to-site VPN config question

The downside is the other end should be a mirror of the main end.

permit ip 192.168.1.0 255.255.255.0 any

permit ip 192.168.2.0 255.255.255.0 any

and you probably don't want that.

91
Views
0
Helpful
1
Replies
CreatePlease to create content