Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
762
Views
0
Helpful
1
Replies

Question about crypto ipsec rules

gdspa
Level 1
Level 1

‎12-12-2011 09:12 AM - edited ‎02-21-2020 05:45 PM

Hi all,

I have a question about ipsec rules for vpn configurations.

Generally I configure ipsec tunnels with this ipsec rule:

local lan     x.x.x.x 255.255.0.0

remote lan y.y.y.y  255.255.0.0

local peer   A.A.A.A

remote peer B.B.B.B

ipsec rule=     access-list outside_51_cryptomap extended permit ip x.x.x.x 255.255.0.0 y.y.y.y 255.255.0.0

In these days one of our customers want to add 2 other rules

access-list outside_51_cryptomap extended deny ip A.A.A.A 255.255.255.255 B.B.B.B 255.255.255.255

access-list outside_51_cryptomap extended permit ip x.x.x.x 255.255.0.0 B.B.B.B 255.255.255.255

Doea anyone have any idea about the reason?

They told me there are security reasons. Is it correct?

Labels:
0 Helpful
1 Reply 1

ajay chauhan
Level 7
Level 7

‎12-12-2011 12:25 PM

I have not come across such configuration . Lan to Lan ipsec tunnel crypto ACL basically a permit statement for subnets between two sites.Even also 2nd statement does not make any sense deny any any is default no in any way not required.

Thanks

ajay

0 Helpful
Customers Also Viewed These Support Documents