12-30-2004 08:17 AM
I have two questions concerning ACL's used in the Crypto map statements:
1. Do both VPN devices have to have the same ACE's within the ACL? I know that without the second ACE site B below will not see udp traffic as interesting but will the vpn tunnel fail because the ACL's don't have the same ACE's?
ie..
Site A
Access-list 110 permit tcp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
Access-list 110 permit udp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
Site B
Access-list 110 permit tcp 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
2. Once a tunnel is established will it send ANY/ALL traffic destined to the remote network across that tunnel. If the first ACE in the 110 ACL for Site A is used to bring up the tunnel, will only tcp traffic sourced from 10.0.1.0/24 destined for 10.0.2.0/24 use the tunnel or will any traffic sourced from 10.0.1.0/24 destined for the remote network cross the tunnel?
I guess my thought is this. Is the ACL used only to determine interesting traffic and once the tunnel is up it is a free for all. Or does the ACL only allow traffic that meets the criteria specified in the ACL to flow after the tunnel is established?
Thanks,
Brian
Solved! Go to Solution.
12-30-2004 09:08 AM
Brian,
Your statement
"Or does the ACL only allow traffic that meets the criteria specified in the ACL to flow after the tunnel is established"
Is correct, Only traffic that meets the crypto ACL will pass through the vpn tunnel and any other traffic will be denied. If you need UDP traffic to traverse via the tunnel you'll need crypto ACLs on both side and not just on one side, i.e. SITE A.
Hope this helps,
Jay
12-30-2004 09:08 AM
Brian,
Your statement
"Or does the ACL only allow traffic that meets the criteria specified in the ACL to flow after the tunnel is established"
Is correct, Only traffic that meets the crypto ACL will pass through the vpn tunnel and any other traffic will be denied. If you need UDP traffic to traverse via the tunnel you'll need crypto ACLs on both side and not just on one side, i.e. SITE A.
Hope this helps,
Jay
12-30-2004 09:29 AM
Jay,
Thanks for the response and help.
Brian
01-03-2005 11:51 AM
Brian,
To follow up your second question.
In regards to tcp traffic being what initiates the tunnel from site A to site B, TCP traffic will not be the only thing allowed over that particular tunnel. Since you have also allowed UDP traffic via the same crypto ACL, it will also be allowed over the tunnel. However, my understanding is that a separate security association (SA) will be created for each entry matched in the crypto ACL. So if you have a very long crypto ACL, you might want to avoid the multiple SA's and create a 'permit any' statement then filter out what you dont want across the tunnel with an ACL applied to the internal interface.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide