Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
619
Views
0
Helpful
1
Replies

ACL of "permit ip any any" over site-to-site VPN with PIX?

seth_fox
Level 1
Level 1

‎02-07-2002 12:02 PM - edited ‎02-21-2020 11:35 AM

Can anyone tell me if it is possible to use an ACL of "permit ip any any" to tunnel all external traffic from one site to another on the PIX units, with ACL and NAT examples?

Currently, my ACL and NAT config are as follows:

access-list 140 permit ip 9.26.198.0 255.255.254.0 9.26.192.0 255.255.252.0

access-list 25 permit ip any any

nat (inside) 0 access-list 25

nat (inside) 0 9.26.198.0 255.255.254.0 0 0

(the other PIX basically mirrors this config)

This works fine, and a tunnel is properly built. Now, when I replace ACL 140 with "permit ip any any", I can't get a full tunnel established (looks like phase1 happens, but phase2 doesn't), even if I try and ping a host on the other network (ie. 9.26.192.x). I get the exact same behavior if I try and ping/ftp/etc a host external to the two networks (eg. 12.12.12.12). Does there need to be some sort of corresponding ACL change to the other PIX? A different NAT statement? Just won't work, no matter what I do?

I realize that Cisco recommends against using an ACL of "permit ip any any" to tunnel all traffic to another PIX, but if this is possible, it would save us around 100 config lines per PIX unit (with 6 sites total).

Any help would be appreciated.

Labels:
0 Helpful
1 Reply 1

marcus.kellman
Level 1
Level 1

‎02-12-2002 04:38 AM

Try this

access-list 140 permit ip 9.26.198.0 255.255.254.0 any

access-list 25 permit ip 9.26.198.0 255.255.254.0 any

mirrored on the other side.

Hope this helps

0 Helpful
Customers Also Viewed These Support Documents