Pix VPN Config - Remote Gateway included in crypto ACL behavior?

obrien_sean · ‎10-17-2006

Relevant portion of the Pix 515e 6.3 VPN Config

...

static (inside,outside) 172.25.0.1 10.0.0.1 netmask 255.255.255.255

static (inside,outside) 172.25.0.2 10.0.0.2 netmask 255.255.255.255

crypto map MyMap 8 match address MyVPN-protect

crypto map MyMap 8 set peer 172.30.0.50

...

access-list MyVPN-protect permit ip host 172.25.0.1 172.30.0.0 255.255.255.0

access-list MyVPN-protect permit ip host 172.25.0.2 172.30.0.0 255.255.255.0

My question is whether or not it is necessary to add a line to the crypto acl:

access-list MyVPN-protect deny ip any host 172.30.0.50

since the crypto acl contains the remote gateways IP. My initial assumption is that it would not be necessary as the crypto acl specifies only two hosts as the src, but adding a deny seems to have cleared up a similar issue I have been having.

The above config (not including the deny) was not showing any packets between the gateway peers (debug packet ...) until I added the deny, and it then immediately started working.

In short if anyone could confirm the behavior of the Pix when the remote gateway IP is included in the crypto acl I would appreciate it.

Report Inappropriate Content · ‎10-20-2006

This is include to match the gateway configured to match the gatewat configured on the crypto Access lists.

The data should only pass through the gateway configured particular kind of traffic.