Re: Do I need to creat an ACL to allow VPN traffic coming in on

txing · ‎01-18-2011

Dear Experts,

The question is answered!

Thanks for your help!

Collin Clark · ‎01-18-2011

You don't need the ACL but you will need another command;

sysopt connection permit-vpn

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution11

Check the link as it has some very helpful troubleshooting and configuring of VPNs.

Hope it helps.

yuri_slobodyanyuk · ‎01-18-2011

FOr sure you have to do something :

1) Use the command Collin brought - sysopt , this basically bypasses any ACL check of decrypted traffic on WAN interface; THat is anything coming via VPN tunnel is allowed. Just one command and everything magically works;

2) Account for the decrypted traffic in existing ACL on the outside interface. In this case yes , you would see interesting traffic from remote LAN on external interface;

3) recommended by cisco way - use sysopt to exempt decrypted traffic from interface-level ACL check but use vpn filter command under group policy for specific VPN tunnel to apply ACL ONLY to decrypted traffic. Works just fine , only a bit tricky to understand what should be source and destination in the ACL (logic reversed);

Cheers

Yuri

Do I need to creat an ACL to allow VPN traffic coming in on the external interface?