Showing results for 
Search instead for 
Did you mean: 

Do I need to create the ACL allow traffic to another side of VPN.

I've create the site-to-site VPN between my ASA and customer firewall.

I've done it my VPN wizard and Tunnel is up already. But my problem is when my client in LAN interface try to connect the server on another side of VPN, it cannot connect and show blocking in ASA log.

So I've tried by add the ACL to allow source LAN subnet to destination server then the connection was successful.

My question is although we have complete the site-to-site VPN setup , We still need ACL allow the connection again?

Deepak Kumar
VIP Advocate


Which type of VPN configuration? As you mentioned that Site to site VPN tunnel then you must have a VPN interested ACL and that ACL must be called in Crypto-MAP or Ikev2 Profile. 



Deepak Kumar 

Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Thank you for your respond.

I'm using the Site-to-Site VPN

Yes I've the interested ACL as below

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1

And called in Crypto-MAP

crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df outside
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer xx.xx.xx.xx 

But the client in network can't access to the server in group DM_INLINE_NETWORK_1 and the ASA log show the traffic has been blocked

So I've create the ACL for allow as below

access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1

Then very thing work as expected , So I'm not sure this is the right setup?

Karsten Iwen
VIP Mentor

Although the VPN will allow your needed traffic, the interface ACL where your client is located (i.g. the inside-interface) still needs a permit-entry for that traffic.



My client is direct connected to the inside-interface.

regardless of directly connected or not, if you have an inside ACL you still need a permit-entry for that traffic. Best to simulate the traffic with packet-tracer:


packet-tracer input inside tcp IP-OF-CLIENT 1234 IP-OF-SERVER PORT-ON-SERVER

run that two times and show the output of the second run.