02-16-2023 07:58 AM
Hi there,
Is it a requirement that changes to allowed vpn traffic prefixes be done at same time on both ends? Would it create trouble with other vpn traffic considering that change is for only new networks being added as interesting traffic.
02-16-2023 08:02 AM - edited 02-16-2023 08:13 AM
@S891 no thats fine (assuming you are adding additional ACE to the existing ACL), it'll just mean the VPN won't work for those new networks until both sides are configured.
02-16-2023 08:06 AM - edited 02-16-2023 08:07 AM
use object-group
and when there is new subnet then only add it subnet to object-group, if that what you ask for.
if you ask about the ACL use by IPsec policy then it should MIRROR in both side.
here there are two ACL.
one for allow traffic
other for IPsec Policy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide