Problem PIX 7 VPN ACLs

[CHOUM]

Hello,

I just migrate to ISO7 and all is ok but not my VPNs.
IT's like the ACL on crypto maps are not used ... if a add an ACL on my inside interface with same policy that in the crypto ACL it work ...
But it's not the way it must work. Is somebosy have an idea?

Best regards

Michel

 

[martinp05]

hello,

what do you exactly mean?

only acls, which are configured in the crypto-map work fine?

other acls, which should check the other traffic do not work?

martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator

 

[CHOUM]

No,

Standar ACL to DMZ or outside, for exemple, work fine.
But ACLs on my VPNs don't work, if i want them work i must add them to standar ACLs too, and it's not the solution ...

VPNs established but nothing pass through

Did i miss a new parameter?

Best regards

Michel

 

[martinp05]

hello,

have you configured the vpn with the sysopt permit ipsec-option? if so, the pix opens a transparent vpn tunnel to your sites and will ignore acls for that vpns.

so you have an transparent any-any tunnel. you can configure acls on the outside interface for the tunnel, but the pix will ignore them.

martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator