Hi Asif Did you try initiating the VPN from behind the ASA? If yes, the UDP traffic is being inspected and return traffic is allowed.
Try initiating the traffic from the other end. With regards Kings On Sat, Jan 30, 2010 at 6:16 PM, Asif Khan <[email protected]> wrote: > Hello group, > > > Topology: *R1 <-> ASA <-> R2* > Traffic between R1 lo0(1.1.1.1) and R2 lo0(2.2.2.2) protected by l2l IPSec. > > I am using the following ACL on both inside and outside interfaces of ASA: > > *access-list VPN extended deny udp any any log* > access-list VPN extended permit esp any any > access-group VPN in interface outside > access-group VPN in interface inside > * > *but I am able to bring up the tunnel from both inside and outside ... > > *Shouldn't blocking udp500/4500 block the tunnel construction?* > > Thanks in Advance, > - Asif > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
