01-18-2011 10:26 AM
Dear Experts,
The question is answered!
Thanks for your help!
01-18-2011 10:29 AM
You don't need the ACL but you will need another command;
sysopt connection permit-vpn
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution11
Check the link as it has some very helpful troubleshooting and configuring of VPNs.
Hope it helps.
01-18-2011 10:43 AM
FOr sure you have to do something :
1) Use the command Collin brought - sysopt , this basically bypasses any ACL check of decrypted traffic on WAN interface; THat is anything coming via VPN tunnel is allowed. Just one command and everything magically works;
2) Account for the decrypted traffic in existing ACL on the outside interface. In this case yes , you would see interesting traffic from remote LAN on external interface;
3) recommended by cisco way - use sysopt to exempt decrypted traffic from interface-level ACL check but use vpn filter command under group policy for specific VPN tunnel to apply ACL ONLY to decrypted traffic. Works just fine , only a bit tricky to understand what should be source and destination in the ACL (logic reversed);
Cheers
Yuri
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide