I have setup a VPN between a Cisco 877 DSL router to a Cisco Concentrator. It all works, and I (My PC 192.168.20.10) can access 172.30.2.10 (A PC on the 877 LAN) - great.
1.) But why is it I can remove the ACL called "inbound" from the "dialer 1" interface inbound and nothing is affected. The traffic all still works. Surely removing this should stop my accessing the remote PC on the 877.
It is as if the ACL is being bypassed.
2.) Has it got anything to do with the SA's on each side of the tunnel? "access-list 101 permit ip 172.30.2.0 0.0.0.255 any"
3.) I'm not sure if the SA or as some call them "protected networks" which would be 172.30.2.0/24 and "any" are allowing the traffic through?
I have thought about adding just the subnets and remove the "any" on the Crypto ACL, but I also tunnel the sites Internet requests over the VPN as we have to monitor it at the HQ, am I right in saying the "any" covers the Internet page requests too, if I were to add just the protected subnets would the Internet stop working?
Given your need to encapsulate all traffic to/from the branch office, I would leave it as it is.
In situations where you do not need to encapsulate traffic destined to "any" destination, I would avoid use of the "any" keyword, and use summarization to minimize the number of ACEs in the crypto ACL.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :