NOTES
- The Policy number should be less then any crypto map with 'dynamic DYNMAP' in use
- Make sure to check if sysopt is enabled
- Ensure the iskamp policy number is unused on the firewall
- 1 Crypto Map per interface
- ACLs should look like the following
- access-list 101 permit ip <local-domain/ip> <remote-domain/ip>
- access-list NONAT permit ip <local-domain/ip> <remote-domain/ip>
- access-list vpn-filter permit <tcp|udp|ip> <remote-domain/ip> <local-domain/ip> <eq port>
- sysopt connection permit-vpn
- Remote Enc -> Local Enc traffic will NOT be checked against the outside ACL
- If no vpn-filter is defined, ALL Remote Enc -> Local Enc traffic will be permitted
- no sysopt connection permit-vpn
- Remote Enc -> Local Enc traffic will be checked against the outside ACL
Close Notes
NOTES
- The Policy number should be less then any crypto map with 'dynamic DYNMAP' in use
- Make sure to check if sysopt is enabled
- Ensure the iskamp policy number is unused on the firewall
- 1 Crypto Map per interface
- ACLs should look like the following
- access-list 101 permit ip <local-domain/ip> <remote-domain/ip>
- access-list NONAT permit ip <local-domain/ip> <remote-domain/ip>
- access-list vpn-filter permit <tcp|udp|ip> <remote-domain/ip> <local-domain/ip> <eq port>
- sysopt connection permit-vpn
- Remote Enc -> Local Enc traffic will NOT be checked against the outside ACL
- If no vpn-filter is defined, ALL Remote Enc -> Local Enc traffic will be permitted
- no sysopt connection permit-vpn
- Remote Enc -> Local Enc traffic will be checked against the outside ACL
Close Notes