Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
534
Views
0
Helpful
3
Replies

L2L VPN question

valsidalv
Level 1
Level 1

‎02-06-2009 06:57 AM

Hi,

I have Cisco PIX 515E(8.0.3) and Cisco 5520(8.0.4). Between these devices I made L2L VPN.

Behind Pix1 is LAN 192.168.10.0/24

Behind Pix2 is LAN 10.11.13.0/24

Do I need outside interface ACL's to communicate these LAN's?

Or it's enough to configure crypto ACL

with permit ip ACE's of both side.

Because in official documentation is "The crypto access list does not determine whether to permit or deny traffic through the interface".

But when I disable outside interface ACL's on both devices, the communication still works.

Many thanks.

Vladislav

Labels:
0 Helpful
3 Replies 3

pstebner10
Level 1
Level 1

‎02-06-2009 08:30 AM

The 'sysopt connection permit-vpn' command allows all IPSec related traffic to reach the firewall, in effect bypassing any ACLs on the outside interface. I believe this is enabled by default on v8. If you require more granular control over your VPN clients, you can disable this with the 'no sysopt connection permit-vpn' command and then setup access lists. You will need to allow ports 50,51 and 500 explicitly if you do this.

HTH,

Paul

0 Helpful

valsidalv
Level 1
Level 1
In response to pstebner10

‎02-06-2009 12:13 PM

So, if I have "sysopt connection permit-vpn" enabled, access control inside L2L VPN is only done with crypto map access list?

Because this doesn't work for me. I must allow communication from 10.11.13.0/24 to 192.168.10.0/24 in interface ACL(I can see hits in ACE's), not only in crypto map ACL(I can't see hits in crypto map ACE's).

Thanks,

Vladislav

0 Helpful

pstebner10
Level 1
Level 1
In response to valsidalv

‎02-06-2009 01:16 PM

Vladislav-

The sysopt command allows IPSec traffic that terminates at your outside interface to come through it but not through any other interface on the FW - that has to be explicity defined in ACLs.

Also, if you are allowing traffic from the private networks to communicate, i.e. not PATing them to at the outside interfaces, then you will also need ACLs to bypass NAT. So you would have something like this on the FW that contains the 10.11.13.0/24 subnet:

access-list Inside_IN extended permit ip 192.168.10.0 255.255.255.0 any

access-list L2LVPN_NONAT extended permit ip 10.11.13.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (inside) 0 access-list L2LVPN_NONAT

access-group Inside_IN in interface inside

and the opposite on the other firewall.

HTH,

Paul

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents