topic PIX Site to Site VPN Issue in Network Security https://community.cisco.com/t5/network-security/pix-site-to-site-vpn-issue/m-p/929689#M939514 <P>Consider the following Phase 2 parameters of a VPN .The issue is i need to give clear text access-list too along with the normal Crypto ACL and NONAT ACL .Iam not able to find out the reason for the same </P><P></P><P>crypto map outside_map 140 match address outside_cryptomap_140</P><P>crypto map outside_map 140 set peer 65.127.X.X</P><P>crypto map outside_map 140 set transform-set ESP-3DES-SHA</P><P></P><P> </P><P>a)Crytpo ACL</P><P></P><P>access-list outside_cryptomap_140 extended permit icmp host 10.10.49.30 host 10.200.253.8 </P><P>access-list outside_cryptomap_140 extended permit ip host 10.81.34.59 host 10.100.8.3 </P><P>access-list outside_cryptomap_140 extended permit ip host 10.10.49.30 10.100.8.0 255.255.255.0</P><P></P><P>b)NO NAT ACL </P><P></P><P>access-list webdmz_outbound_nat0_acl extended permit ip host 10.10.49.30 host 10.200.253.8</P><P>access-list webdmz_outbound_nat0_acl extended permit ip host 10.10.49.30 10.100.8.0 255.255.255.0</P><P>access-list appdmz_outbound_nat0_acl extended permit ip host 10.81.34.59 host 10.100.8.3</P><P></P><P>c)Clear text ACL </P><P></P><P>access-list webdmz_access_in extended permit tcp host 10.10.49.30 10.100.8.0 255.255.255.0 eq ssh </P><P>access-list webdmz_access_in extended permit icmp host 10.10.49.30 host 10.200.253.8</P><P>access-list appdmz_access_in extended permit ip host 10.81.34.59 host 10.100.8.3</P><P></P><P></P><P>Query : In a Site to Site VPN ideally only Crypto ACL (Interesting traffic ACL ) and NO NAT ACL is required . However in some of the VPN Scenarios Clear text ACL is also required without which even after the tunnel is up , devices are unreachable and it will give a following error .</P><P></P><P></P><P>â&#128;&#156;Connection denied by webdmz_access_inâ&#128;&#157;</P><P> </P><P></P><P>Please let me know the following </P><P></P><P>1)Is it really required </P><P>2)If not , what are those scenarios in which it needs to be given </P><P></P><P>Regards</P><P>Ankur </P> Mon, 11 Mar 2019 12:29:22 GMT ankurs2008 2019-03-11T12:29:22Z PIX Site to Site VPN Issue https://community.cisco.com/t5/network-security/pix-site-to-site-vpn-issue/m-p/929689#M939514 <P>Consider the following Phase 2 parameters of a VPN .The issue is i need to give clear text access-list too along with the normal Crypto ACL and NONAT ACL .Iam not able to find out the reason for the same </P><P></P><P>crypto map outside_map 140 match address outside_cryptomap_140</P><P>crypto map outside_map 140 set peer 65.127.X.X</P><P>crypto map outside_map 140 set transform-set ESP-3DES-SHA</P><P></P><P> </P><P>a)Crytpo ACL</P><P></P><P>access-list outside_cryptomap_140 extended permit icmp host 10.10.49.30 host 10.200.253.8 </P><P>access-list outside_cryptomap_140 extended permit ip host 10.81.34.59 host 10.100.8.3 </P><P>access-list outside_cryptomap_140 extended permit ip host 10.10.49.30 10.100.8.0 255.255.255.0</P><P></P><P>b)NO NAT ACL </P><P></P><P>access-list webdmz_outbound_nat0_acl extended permit ip host 10.10.49.30 host 10.200.253.8</P><P>access-list webdmz_outbound_nat0_acl extended permit ip host 10.10.49.30 10.100.8.0 255.255.255.0</P><P>access-list appdmz_outbound_nat0_acl extended permit ip host 10.81.34.59 host 10.100.8.3</P><P></P><P>c)Clear text ACL </P><P></P><P>access-list webdmz_access_in extended permit tcp host 10.10.49.30 10.100.8.0 255.255.255.0 eq ssh </P><P>access-list webdmz_access_in extended permit icmp host 10.10.49.30 host 10.200.253.8</P><P>access-list appdmz_access_in extended permit ip host 10.81.34.59 host 10.100.8.3</P><P></P><P></P><P>Query : In a Site to Site VPN ideally only Crypto ACL (Interesting traffic ACL ) and NO NAT ACL is required . However in some of the VPN Scenarios Clear text ACL is also required without which even after the tunnel is up , devices are unreachable and it will give a following error .</P><P></P><P></P><P>â&#128;&#156;Connection denied by webdmz_access_inâ&#128;&#157;</P><P> </P><P></P><P>Please let me know the following </P><P></P><P>1)Is it really required </P><P>2)If not , what are those scenarios in which it needs to be given </P><P></P><P>Regards</P><P>Ankur </P> Mon, 11 Mar 2019 12:29:22 GMT https://community.cisco.com/t5/network-security/pix-site-to-site-vpn-issue/m-p/929689#M939514 ankurs2008 2019-03-11T12:29:22Z Re: PIX Site to Site VPN Issue https://community.cisco.com/t5/network-security/pix-site-to-site-vpn-issue/m-p/929690#M939515 <HTML><HEAD></HEAD><BODY><P>Hi Ankur,</P><P> As you know, traffic from a higher security interface to a lower security interface is permit by default. That means if there is no access-list applied to the higher security leved interface, traffic will be permit. It is not really required.</P><P> But in some firewall implementations, security admins apply access-list to that higher security leveled interface to filter traffic originated from inside, the trusted users. In this case, they permit specific traffic, then a deny any any in the end. Since the traffic is filtered, you have to specifically permit the tunnel traffic.</P><P></P><P>Regards</P><P> </P></BODY></HTML> Thu, 10 Apr 2008 13:45:15 GMT https://community.cisco.com/t5/network-security/pix-site-to-site-vpn-issue/m-p/929690#M939515 Alan Huseyin Kayahan 2008-04-10T13:45:15Z