Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN Tunnel Access

We have brought up a vpn tunnel between a PIX 520 and a 3000 concentrator. There is an access-list bound to the inside interface (in) of the pix. In order to allow traffic over the tunnel we are forced to add entries to the access list. When a tunnel is configured, should it bypass the access list on the interface and use only the access list referenced in the crypto map statement?

New Member

Re: VPN Tunnel Access

If you have a access-list bound to the inside interface you would not add the entries regarding the encrypted traffic there.

You only have to add those entries to the access-list that is bound to the crypto map and (if used) to the access-list bound to the NAT 0 statement.

New Member

Re: VPN Tunnel Access

Well, that's what I thought and had never seen this issue before but it seems to apply here. Once I add the entries to acl on the inside interface (not the one bound to the crypto map), it starts working. Pretty strange.

New Member

Re: VPN Tunnel Access

One thing you should know is that when you are working with PIX:es in VPN-environments and is doing VPN-changes, the PIX sometimes need to be reloaded.

I am 100% sure that you do not have to have the acl on the inside interface, but only in the crypto acl. Try removing the corresponding lines from the inside acl, save and reload the unit.

If you like, you can send the config to me.

Cisco Employee

Re: VPN Tunnel Access


If I understand you correctly, your config looks something similar to:

crypto map mymap 10 match address 100

access-list 100 permit ip

access-group 150 in interface inside

access-list 150 permit ip

If the above is the case, then you have to add a statement that permits ip addresses from 10.1.1.x/24 to 10.10.10.x/24 in your access-list 150. Without this statement, the pix will deny the packets with source 10.1.1.x to 10.10.10.x and will not go through the tunnel.



New Member

Re: VPN Tunnel Access

I´m sorry for missleading you. If you have bound a access-list to the inside interface you do of course need to permit the traffic for the other side of the tunnel in that list too.

If you do not have any access-list bound to the inside interface, you dont have to create one and assign it to the interface for the VPN to work, it is just when you akready have one that you have to specify the VPN-traffic in it.

New Member

Re: VPN Tunnel Access

Depends upon (a) static or dynamic access to internet and (b) how you're creating the tunnel.

If dynamic, you can't be using an access list on the pix, for tunneled traffic. Access lists only apply to unencryptrd (public) traffic.

If you're using 'EasyVPN' (vpnc lines) then your access-lists for tunnel traffic are being dynamically created by your 3000 sending down it's policy to the pix.

Don't know how much, if any, that helps you.

Traffic hits the access list associated with it. If tunnelled traffic, it hits the crypto access list, if not, the other.

CreatePlease to create content