Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Reg. Crypto ACL query for S2S/RA VPN

Hi all / husycisco

Cnsider the following config for s2s vpn

access-list outside_cryptomap_140 extended permit ip host 10.81.34.59 host 10.100.8.3

access-list outside_cryptomap_140 extended permit ip host 10.10.49.30 10.100.8.0 255.255.255.0

My query is instead of using IP based Crypto ACL , can i configure it TCP based ?I have tried doing the same ; however no success.If we cannot do it is there any specific reason for the same ?

The reason for this query is all auditors pinpoint as to why the IP based ACL is given . Any help for teh same will be appreciated.

Regards

Ankur

1 REPLY

Re: Reg. Crypto ACL query for S2S/RA VPN

Hi Ankur,

By specifying a port in any ACL that is a network ACL instead a restriction ACL, like NAT ACLs, interesting traffic ACLs, tunnel ACLs, you are making the device to check the port portion of each packet during "routing", which is not permitted in Cisco firewall appliences, since that would decrease the performance slightly for a stateful firewall. You should have got a warning "Warning port specified in bla bla will slightly decrease bla bla" I cant remember the exact phrase whenever you try to do this.

Regards

103
Views
0
Helpful
1
Replies
CreatePlease to create content