Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

L2L VPN question


I have Cisco PIX 515E(8.0.3) and Cisco 5520(8.0.4). Between these devices I made L2L VPN.

Behind Pix1 is LAN

Behind Pix2 is LAN

Do I need outside interface ACL's to communicate these LAN's?

Or it's enough to configure crypto ACL

with permit ip ACE's of both side.

Because in official documentation is "The crypto access list does not determine whether to permit or deny traffic through the interface".

But when I disable outside interface ACL's on both devices, the communication still works.

Many thanks.


New Member

Re: L2L VPN question

The 'sysopt connection permit-vpn' command allows all IPSec related traffic to reach the firewall, in effect bypassing any ACLs on the outside interface. I believe this is enabled by default on v8. If you require more granular control over your VPN clients, you can disable this with the 'no sysopt connection permit-vpn' command and then setup access lists. You will need to allow ports 50,51 and 500 explicitly if you do this.



New Member

Re: L2L VPN question

So, if I have "sysopt connection permit-vpn" enabled, access control inside L2L VPN is only done with crypto map access list?

Because this doesn't work for me. I must allow communication from to in interface ACL(I can see hits in ACE's), not only in crypto map ACL(I can't see hits in crypto map ACE's).



New Member

Re: L2L VPN question


The sysopt command allows IPSec traffic that terminates at your outside interface to come through it but not through any other interface on the FW - that has to be explicity defined in ACLs.

Also, if you are allowing traffic from the private networks to communicate, i.e. not PATing them to at the outside interfaces, then you will also need ACLs to bypass NAT. So you would have something like this on the FW that contains the subnet:

access-list Inside_IN extended permit ip any

access-list L2LVPN_NONAT extended permit ip

nat (inside) 0 access-list L2LVPN_NONAT

access-group Inside_IN in interface inside

and the opposite on the other firewall.