04-22-2015 01:43 AM
I know when we setup Site-to-Site IPsec VPNs on ASAs or on Cisco routers we have to have mirrored Crypto ACLs but are there cases when we can make it work without mirroring ACLs?
For example the user subnet 192.168.1.0 /24 on site A should access a server 172.16.2.1 on side B whereas user subnet 192.168.2.0 /24 on site B should access a server 172.16.1.1 on site A.
Can I make it work with not mirrored ACLs? Thank you!
Solved! Go to Solution.
04-22-2015 07:04 AM
Hi,
On this case the mirrored ACLs are required either ways, you will need to create the same for both and it will work otherwise the phase2 will be stuck and not being able to come up. Sometimes it may work though is not a best practice because when the tunnel gets rekeyed at phase 2, sometimes it does not come back up since there is a mismatch.
Hope this helps!
Please proceed to rate and mark as correct the helpful post!
David Castro,
Regards
04-25-2015 01:29 PM
it was a pleasure, once you need assistence let me know! :)
David Castro,
Regards
04-22-2015 07:04 AM
Hi,
On this case the mirrored ACLs are required either ways, you will need to create the same for both and it will work otherwise the phase2 will be stuck and not being able to come up. Sometimes it may work though is not a best practice because when the tunnel gets rekeyed at phase 2, sometimes it does not come back up since there is a mismatch.
Hope this helps!
Please proceed to rate and mark as correct the helpful post!
David Castro,
Regards
04-25-2015 06:05 AM
Hi David Castro,
Thank you for explanation!)
David
04-25-2015 01:29 PM
it was a pleasure, once you need assistence let me know! :)
David Castro,
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: