01-18-2018 05:41 AM - edited 02-21-2020 07:09 AM
Hello ALL,
Need suggestion!!!!
My Goal-
Communication between R3 loopback interface and R1 using site to site VPN.
Everything is working fine but i have a doubt.
Below is configuration provide.
I have ACL created on PIX and on R3.
***PIX***
access-list 101 extended permit ip 10.11.11.0 255.255.255.0 10.11.20.0 255.255.255.0
***R3***
access-list 101 permit ip 10.11.20.0 0.0.0.255 10.11.11.0 0.0.0.255
With the ACL created on PIX i am able communicate in both ways from R3(lo1)--->R1 and R1-->R3(lo1).Now my doubt is how am i able to communicate from R3 to R1 though ACL created for only direction R1 to R3.
What i learnt till now we need ACL to allow traffic from outside to inside.
Please share your valuable thoughts.
Please let me know if anymore configuration details required.
Solved! Go to Solution.
01-18-2018 07:45 AM
It is good to know that you have configured the site to site VPN and that it works. The answer to your question is fairly simple. When used for VPN the access list operates in a bidirectional manner. The ACL may be written for R1 to R3 but it recognizes and permits traffic R3 to R1 also.
HTH
Rick
01-18-2018 07:45 AM
It is good to know that you have configured the site to site VPN and that it works. The answer to your question is fairly simple. When used for VPN the access list operates in a bidirectional manner. The ACL may be written for R1 to R3 but it recognizes and permits traffic R3 to R1 also.
HTH
Rick
01-18-2018 11:03 AM
01-18-2018 12:18 PM
You are welcome. I am glad that my explanation was helpful. I explained that the ACL acts bidirectional, which means that it identifies local traffic going to remote and also identifies remote traffic coming to local. When you tried this version of the ACL
access-list 101 extended permit ip 10.11.20.0 255.255.255.0 10.11.11.0 255.255.255.0
then it assumes that 10.11.20.0 are local addresses and 10.11.11.0 are remote but that is not the case is it?
HTH
Rick
01-19-2018 10:32 PM
01-20-2018 10:02 AM
In your original post you indicated that everything was working fine. Is that not the case?
In general you are correct that PIX and ASA require an access list to permit traffic initiated from outside to get to destinations inside. But there is, in fact, an exception to this for VPN traffic. If data is received from outside on a configured, authenticated, and active vpn then that traffic is allowed to inside destinations without requiring an ACL on the outside interface.
HTH
Rick
01-20-2018 11:33 PM
01-21-2018 06:23 AM
Perhaps we can answer this question by considering how access lists are used.
The most common use of access lists is to control what data is permitted and what is denied as data goes through an interface. On PIIX and ASA we apply an ACL to an interface to control the flow of data packets. When a normal packet comes from the Internet the PIX/ASA examines whether the packet is a response to something that was initiated inside or is permitted by an ACL or is received on a vpn connection. .So there is no need for ACL to permit receiving of vpn packets.
Another use of ACL is to identify what traffic from a local source to some remote destination will be encrypted by vpn. This is the use of ACL that you are asking about. It is applied bidirectionally (so you do not need one for in and another for out) and it must be consistent about which traffic is local and which traffic is remote. That is why it did not work when you reversed the entries.
HTH
Rick
01-23-2018 08:18 AM
01-23-2018 09:59 AM
You are welcome. I am glad that my explanations have been helpful.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide