Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site VPN Issue

Hi All

Consider the following Phase 2 parameters of a VPN .The issue is i need to give clear text access-list too along with the normal Crypto ACL and NONAT ACL .Iam not able to find out the reason for the same

crypto map outside_map 140 match address outside_cryptomap_140

crypto map outside_map 140 set peer 65.127.X.X

crypto map outside_map 140 set transform-set ESP-3DES-SHA

a)Crytpo ACL

access-list outside_cryptomap_140 extended permit icmp host 10.10.49.30 host 10.200.253.8

access-list outside_cryptomap_140 extended permit ip host 10.81.34.59 host 10.100.8.3

access-list outside_cryptomap_140 extended permit ip host 10.10.49.30 10.100.8.0 255.255.255.0

b)NO NAT ACL

access-list webdmz_outbound_nat0_acl extended permit ip host 10.10.49.30 host 10.200.253.8

access-list webdmz_outbound_nat0_acl extended permit ip host 10.10.49.30 10.100.8.0 255.255.255.0

access-list appdmz_outbound_nat0_acl extended permit ip host 10.81.34.59 host 10.100.8.3

c)Clear text ACL

access-list webdmz_access_in extended permit tcp host 10.10.49.30 10.100.8.0 255.255.255.0 eq ssh

access-list webdmz_access_in extended permit icmp host 10.10.49.30 host 10.200.253.8

access-list appdmz_access_in extended permit ip host 10.81.34.59 host 10.100.8.3

Query : In a Site to Site VPN ideally only Crypto ACL (Interesting traffic ACL ) and NO NAT ACL is required . However in some of the VPN Scenarios Clear text ACL is also required without which even after the tunnel is up , devices are unreachable and it will give a following error .

“Connection denied by webdmz_access_in”

Please let me know the following

1)Is it really required

2)If not , what are those scenarios in which it needs to be given

Regards

Ankur

2 REPLIES

Re: Site to Site VPN Issue

New Member

Re: Site to Site VPN Issue

hi,

thanks for the update ; however i posted as i thought that section for VPN is different .I will verify the same in different firewalls and will try to find out if clear text ACLs for S2S VPN are applied in those "higher security" interfaces or not which contains lot of specifically defined rules towards "lower security" interfaces

Regards

Ankur

111
Views
0
Helpful
2
Replies