11-24-2014 07:51 AM - edited 02-21-2020 07:56 PM
Hi ,
I define IPsec tunnel by "crypto map" on outside interface .
"vpn_acl" assinged to this crypto map and define the traffic that I want to encrypt .
I don't understand if I have to add access-list on inbound interface inside that permit this traffic .
I see in documentation : "The crypto access list does not determine whether to permit or deny traffic through the interface. An
access list applied directly to the interface with the access-group command makes that determination."
But on the other hand I don't see in examples for IPsec tunnel configuration any step for defination of inbound interface ACL .
I understand that "sysopt connection permit-vpn" command is relevant only to traffic that arrive from the tunnel , am I right ?
Thank you .
Eliezer .
11-27-2014 01:53 PM
Hello Eliezer,
You are right you will need to do something like this:
192.168.1.0/24 Inside ASA1 <--------------->ASA2 inside 172.16.1.0/24 | |
ASA1: access-list INSIDE_IN permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 | |
access-group INSIDE_IN in interface inside | |
ASA2: | |
access-group INSIDE_IN in interface inside |
sysopt connection permit-vpn
To permit any packets that come from an IPsec or SSL VPN tunnel without checking ACLs for the source and destination interfaces, enter the sysopt connection permit-vpn command in global configuration mode.
You might want to bypass interface ACLs for IPsec or SSL VPN traffic if you use a separate VPN concentrator behind the ASA and want to maximize the ASA performance. Typically, you create an ACL that permits IPsec or SSL VPN packets using the access-list command and apply it to the source interface. Using an ACL is more secure because you can specify the exact traffic you want to allow through the ASA.
Let me know this works out!
Please don't forget to rate and mark as correct the helpful post!
David Castro,
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide