Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Question about crypto ipsec rules

Hi all,

I have a question about ipsec rules for vpn configurations.

Generally I configure ipsec tunnels with this ipsec rule:

local lan     x.x.x.x 255.255.0.0

remote lan y.y.y.y  255.255.0.0

local peer   A.A.A.A

remote peer B.B.B.B

ipsec rule=     access-list outside_51_cryptomap extended permit ip x.x.x.x 255.255.0.0 y.y.y.y 255.255.0.0

In these days one of our customers want to add 2 other rules

access-list outside_51_cryptomap extended deny ip A.A.A.A 255.255.255.255 B.B.B.B 255.255.255.255

access-list outside_51_cryptomap extended permit ip x.x.x.x 255.255.0.0 B.B.B.B 255.255.255.255

Doea anyone have any idea about the reason?

They told me there are security reasons. Is it correct?

Everyone's tags (3)
1 REPLY

Question about crypto ipsec rules

I have not come across such configuration . Lan to Lan ipsec tunnel crypto ACL basically a permit statement for subnets between two sites.Even also 2nd statement does not make any sense deny any any is default no in any way not required.

Thanks

ajay

358
Views
0
Helpful
1
Replies
CreatePlease login to create content