Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1008
Views
5
Helpful
18
Replies

FMC Policy Crypto Map Tunnel Extended ACL List

ralpho1
Level 1
Level 1

‎02-05-2025 06:30 AM

Hello Together

I have FMC/FTD and when I create a VPN via Policy Based (crypto Map) and use "Protected Networks" -> "Subnet / IP Address" everything works fine. VPN -> Azure, VPN -> other Companys and our Branch Offices, no Problem.

When I use instead "Protected Networks" -> "Access List (Extended)" No chance to get a connection. Tunnel comes up, but connection is not possible.

Does anyone have a recommendation how to use ACL List or maybe a Link to a Document? Cisco recommend to use "Access List (Extended)" Or what could be wrong. Settings are identical with "Subnet / IP Address" and  "Access List"

Regards

Ralph

0 Helpful
18 Replies 18

Sheraz.Salim
VIP Alumni
VIP Alumni
In response to Aref Alsouqi

‎02-12-2025 01:06 AM - edited ‎02-12-2025 01:07 AM

@Aref Alsouqiwont be this a good idea to configure the Extended access-list instead of Subnet as it give more protection with using IPS-L7 (either Allow/Trust/Deny) with narrow down to specific protocols and specific IP addresses. I guess there are two different way to achieve the same thing. either using the Extended access-list with IPS or with VPN-Filer at the end of the day both doing the same thing. 

please do not forget to rate.
0 Helpful

Aref Alsouqi
VIP
VIP
In response to Sheraz.Salim

‎02-12-2025 01:51 AM

@Sheraz.Salim I don't remember ever using a crypto ACL attaching an IPS policy to it. Generally speaking the VPN traffic would be trusted'ish. However, nothing wrong with trying to restrict the VPN traffic to only allow what has to be allowed denying everything else. Imo, the most secure way would be turning off the "sysopt connection permit-vpn" and relying on the explicit ACLs that would be applied to the interfaces. That way you are only allow what has to be allowed regardless of how you define your crypto ACLs. The only thing with that is that sometimes this approach is not required and doesn't add any value, other times it would be a bit difficult to manage, but as I said, that would be the most secure way to deal with VPN traffic.

The second approach would be to use VPN-Filter which is a dedicated feature to restrict VPN traffic. The gotcha on this as we already mentioned before, is that the way how the VPN-Filter ACLs are created is flipped around, the source would be the remote subnet and the destination would be the local subnet. The reason behind that is because the VPN-Filter ACLs are applied to the traffic landing into the tunnel, hence the match of the subnets would be inverted. If you tried using extended ACLs with IPS policy applied as crypto ACLs and that worked, then why not? that would also be an option.

0 Helpful

ralpho1
Level 1
Level 1

‎02-12-2025 05:08 AM

so I tested several things and for me with VPN to Azure works with "Protected Networks / Subnet" and Access List Policy

ralpho1_0-1739365295476.png

Between two FTD´s it works with "Extended Access list and VPN-Filter" Ok, I can configure it on both sides (descriped in a Threat before) and to another Firewall like Fortygate, Watchguard ... you have to try :-). 

0 Helpful

MHM Cisco World
VIP
VIP

‎02-12-2025 05:33 AM

If you use L4 port in extended ACL of VPN then it will not work.

ACL for policy based VPN support only extended ACL use subnet' not accept to add any L4 port.

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card