cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
265
Views
0
Helpful
2
Replies
Highlighted
Beginner

Do I need to creat an ACL to allow VPN traffic coming in on the external interface?

Dear Experts,

The question is answered!

Thanks for your help!

2 REPLIES 2
Highlighted
Advisor

Re: Do I need to creat an ACL to allow VPN traffic coming in on

You don't need the ACL but you will need another command;

sysopt connection permit-vpn

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution11

Check the link as it has some very helpful troubleshooting and configuring of VPNs.

Hope it helps.

Highlighted

Re: Do I need to creat an ACL to allow VPN traffic coming in on

FOr sure you have to do something :

1) Use the command Collin brought - sysopt , this basically bypasses any ACL check of decrypted traffic on WAN interface; THat is anything coming via VPN tunnel is allowed. Just one command and everything magically works;

2) Account for the decrypted traffic in existing ACL on the outside interface. In this case yes , you would see interesting traffic from remote LAN on external interface;

3) recommended by cisco way - use sysopt to exempt decrypted traffic from interface-level ACL check but use vpn filter command under group policy for specific VPN tunnel to apply ACL ONLY to decrypted traffic. Works just fine , only a bit tricky to understand what should be source and destination in the ACL (logic reversed);

Cheers

Yuri