We have brought up a vpn tunnel between a PIX 520 and a 3000 concentrator. There is an access-list bound to the inside interface (in) of the pix. In order to allow traffic over the tunnel we are forced to add entries to the access list. When a tunnel is configured, should it bypass the access list on the interface and use only the access list referenced in the crypto map statement?
Well, that's what I thought and had never seen this issue before but it seems to apply here. Once I add the entries to acl on the inside interface (not the one bound to the crypto map), it starts working. Pretty strange.
If I understand you correctly, your config looks something similar to:
crypto map mymap 10 match address 100
access-list 100 permit ip 10.1.1.0 255.255.25.0 10.10.10.0 255.255.255.0
access-group 150 in interface inside
access-list 150 permit ip 10.1.1.0 255.255.25.0 10.2.2.0 255.255.255.0
If the above is the case, then you have to add a statement that permits ip addresses from 10.1.1.x/24 to 10.10.10.x/24 in your access-list 150. Without this statement, the pix will deny the packets with source 10.1.1.x to 10.10.10.x and will not go through the tunnel.
I´m sorry for missleading you. If you have bound a access-list to the inside interface you do of course need to permit the traffic for the other side of the tunnel in that list too.
If you do not have any access-list bound to the inside interface, you dont have to create one and assign it to the interface for the VPN to work, it is just when you akready have one that you have to specify the VPN-traffic in it.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :