Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Pix VPN Config - Remote Gateway included in crypto ACL behavior?

Relevant portion of the Pix 515e 6.3 VPN Config


static (inside,outside) netmask

static (inside,outside) netmask

crypto map MyMap 8 match address MyVPN-protect

crypto map MyMap 8 set peer


access-list MyVPN-protect permit ip host

access-list MyVPN-protect permit ip host

My question is whether or not it is necessary to add a line to the crypto acl:

access-list MyVPN-protect deny ip any host

since the crypto acl contains the remote gateways IP. My initial assumption is that it would not be necessary as the crypto acl specifies only two hosts as the src, but adding a deny seems to have cleared up a similar issue I have been having.

The above config (not including the deny) was not showing any packets between the gateway peers (debug packet ...) until I added the deny, and it then immediately started working.

In short if anyone could confirm the behavior of the Pix when the remote gateway IP is included in the crypto acl I would appreciate it.


Re: Pix VPN Config - Remote Gateway included in crypto ACL behav

This is include to match the gateway configured to match the gatewat configured on the crypto Access lists.

The data should only pass through the gateway configured particular kind of traffic.

CreatePlease to create content