PIX - Can extended ACL's be used as crypto ACL's on a PIX

Discussion in 'Cisco' started by Shad T, Jun 29, 2004.

  1. Shad T

    Shad T Guest

    Pix 6.3(3)

    I have read on one source that v5.1 and above should support greater
    protocol and port granularity for the crypto ACL's, but I have not
    been able to confirm if this is possible and the proper configuration
    (given both sides of the tunnel may use different vendors).

    So here are my questions:

    1. Can you please confirm if it is possible to use an extended
    access-list as a crypto ACL?

    2. If so, do all of the associated denied and allowed port/protocols
    ACL's and policies (if not pix on the other end) have to match
    exactly? I am assuming the answer is yes.

    Situation in which it will be applied:

    We have a site that has many many tunnels and most have private class
    on the remote end. Some of these tunnels terminate to vendors and
    clients that we may not want to have complet IP access back into the
    associated hosts/networks in the crypto ACL. If we disable sysopt
    connection permit ipsec . . . we would have to open up a ton of
    private class networks with full ip access off of our direct inbound
    ACL (this is not preferable).


    Shad T, Jun 29, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.