Solved: Question about mismatching Crypto ACLs

David Kleberson · ‎04-22-2015

I know when we setup Site-to-Site IPsec VPNs on ASAs or on Cisco routers we have to have mirrored Crypto ACLs but are there cases when we can make it work without mirroring ACLs?

For example the user subnet 192.168.1.0 /24 on site A should access a server 172.16.2.1 on side B whereas user subnet 192.168.2.0 /24 on site B should access a server 172.16.1.1 on site A.

Can I make it work with not mirrored ACLs? Thank you!

David Johan Castro Fernandez · ‎04-22-2015

Hi,

On this case the mirrored ACLs are required either ways, you will need to create the same for both and it will work otherwise the phase2 will be stuck and not being able to come up. Sometimes it may work though is not a best practice because when the tunnel gets rekeyed at phase 2, sometimes it does not come back up since there is a mismatch.

Hope this helps!

Please proceed to rate and mark as correct the helpful post!

David Castro,

Regards

View solution in original post

David Johan Castro Fernandez · ‎04-25-2015

it was a pleasure, once you need assistence let me know! :)

David Castro,

Regards

View solution in original post

David Johan Castro Fernandez · ‎04-22-2015

Hi,

On this case the mirrored ACLs are required either ways, you will need to create the same for both and it will work otherwise the phase2 will be stuck and not being able to come up. Sometimes it may work though is not a best practice because when the tunnel gets rekeyed at phase 2, sometimes it does not come back up since there is a mismatch.

Hope this helps!

Please proceed to rate and mark as correct the helpful post!

David Castro,

Regards

David Kleberson · ‎04-25-2015

Hi David Castro,

Thank you for explanation!)

David

David Johan Castro Fernandez · ‎04-25-2015

it was a pleasure, once you need assistence let me know! :)

David Castro,

Regards