Consider the following Phase 2 parameters of a VPN .The issue is i need to give clear text access-list too along with the normal Crypto ACL and NONAT ACL .Iam not able to find out the reason for the same
crypto map outside_map 140 match address outside_cryptomap_140
crypto map outside_map 140 set peer 65.127.X.X
crypto map outside_map 140 set transform-set ESP-3DES-SHA
access-list appdmz_access_in extended permit ip host 10.81.34.59 host 10.100.8.3
Query : In a Site to Site VPN ideally only Crypto ACL (Interesting traffic ACL ) and NO NAT ACL is required . However in some of the VPN Scenarios Clear text ACL is also required without which even after the tunnel is up , devices are unreachable and it will give a following error .
âConnection denied by webdmz_access_inâ
Please let me know the following
1)Is it really required
2)If not , what are those scenarios in which it needs to be given
thanks for the update ; however i posted as i thought that section for VPN is different .I will verify the same in different firewalls and will try to find out if clear text ACLs for S2S VPN are applied in those "higher security" interfaces or not which contains lot of specifically defined rules towards "lower security" interfaces
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...