Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN issue

have what would appear to be a simple lan to lan vpn.

I have enabled: sysopt connection permit-ipsec.

The remote site works as expected - without the use of any access-list assigned to the inside interface for vpn traffic.

The local site will not operate unless I have a crypto access-list and an access-list assigned to the inside interface.

example:

local:

access-list inside extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

!

access-list cryto_acl extnded permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

!

access-list no_nat permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

!

nat (inside) 0 access-list no_nat

!

access-group inside in interface inside

!

remote:

access-list crypto_acl extended permit ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0

!

access-list no_nat permit ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0

!

nat (inside) 0 access-list no_nat

!

When both access-lists do not exist at the local site it is not possible to connect to the remote site!!

does anyone have any ideas?!

thanks

1 REPLY
Cisco Employee

Re: VPN issue

Craig,

The "sysopt connection permit-ipsec" is for rules to be bypassed for ipsec traffic on the outside interface.

In your local pix configuration, you have applied your access-list on the inside interface - "access-group inside in interface inside".

By default the pix will allow all traffic on the inside interface (security level 100) unless explicitly denied by an Access-List. Since you have access-group applied on the inside interface, you have to explicitly permit the local and remote network.

Please let me know if this answers your questions.

I hope it helps.

Regards,

Arul

107
Views
0
Helpful
1
Replies
CreatePlease login to create content