cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
234
Views
0
Helpful
2
Replies
Garry Cross
Beginner

FPR2110 ASA Code outside access list denies tunneled traffic.

This is the first time configuring a VPN L2L between an FPR2110 running ASA software and another real ASA.

We found that the outside access list was denying the tunneled traffic.

We needed to add permit ip 172.16.0.0 255.255.0.0 any to the ACL in order for communication to work.

 

Cisco Adaptive Security Appliance Software Version 9.10(1) <context>
Firepower Extensible Operating System Version 2.4(1.103)

 

I can't imagine that this is working as designed.

 

Thanks for any insight.

 

1 ACCEPTED SOLUTION

Accepted Solutions
Rob Ingram
VIP Mentor

@Garry Cross 

To permit any packets that come from an IPsec tunnel without checking ACLs for the source and destination interfaces, enter the sysopt connection permit-vpn command in global configuration mode.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/vpn/asa-99-vpn-config/vpn-params.html

View solution in original post

2 REPLIES 2
Rob Ingram
VIP Mentor

@Garry Cross 

To permit any packets that come from an IPsec tunnel without checking ACLs for the source and destination interfaces, enter the sysopt connection permit-vpn command in global configuration mode.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/vpn/asa-99-vpn-config/vpn-params.html

View solution in original post

Thank you. It would appear someone configured the no form of that command.

 

act# show run | inc sysopt
no sysopt connection permit-vpn

 

 

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (37%)

Content for Community-Ad