cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

389
Views
0
Helpful
1
Replies
Highlighted
Beginner

Question about crypto ipsec rules

Hi all,

I have a question about ipsec rules for vpn configurations.

Generally I configure ipsec tunnels with this ipsec rule:

local lan     x.x.x.x 255.255.0.0

remote lan y.y.y.y  255.255.0.0

local peer   A.A.A.A

remote peer B.B.B.B

ipsec rule=     access-list outside_51_cryptomap extended permit ip x.x.x.x 255.255.0.0 y.y.y.y 255.255.0.0

In these days one of our customers want to add 2 other rules

access-list outside_51_cryptomap extended deny ip A.A.A.A 255.255.255.255 B.B.B.B 255.255.255.255

access-list outside_51_cryptomap extended permit ip x.x.x.x 255.255.0.0 B.B.B.B 255.255.255.255

Doea anyone have any idea about the reason?

They told me there are security reasons. Is it correct?

Everyone's tags (3)
1 REPLY 1
Rising star

Question about crypto ipsec rules

I have not come across such configuration . Lan to Lan ipsec tunnel crypto ACL basically a permit statement for subnets between two sites.Even also 2nd statement does not make any sense deny any any is default no in any way not required.

Thanks

ajay