If you have sysopt connection permit-vpn disabled, you are telling the ASA / PIX to evaluate the traffic as outside traffic. If you have sysop connection permit-vpn enabled, the traffic is essentially treated as inside traffic and is not subjected to the outside ACL.
Maybe the book is miss-interpreting the interesting traffic ACL with the standard Outside-in ACL.
HTH
-ryan
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Sadiq Yakasai
Sent: Wednesday, April 29, 2009 3:36 PM
To: Cisco certification; Cisco certification
Subject: IPSec tunneled packets and ACL on the Outside
Hi Guys,
Just reading a book here, I came across this statement which I havent come
across (at least yet). It says when IPSec tunneled traffic hits the Outside
interface of an ASA, if you have do not have *sysopt connection
permit-vpn*configured and decided to allow the VPN (related) traffic
by opening up the
Outside-IN ACL on the Outside interface, then you also NEED TO ALLOW the
tuneled traffic through this ACL.
In other words, these IPSec tunneled traffic will be hitting the Outside-IN
ACL twice before traversing the ASA; the encrypted and the tunneled traffic.
How true is this? Has anyone encountered this in their configuration
endeaviours please? Could this behaviour be specific to a version of code
ran on the ASA??
Thanks in advance,
Sadiq
-- CCIE #19963 Blogs and organic groups at http://www.ccie.netReceived on Wed Apr 29 2009 - 15:44:45 ART
This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 07:39:13 ART