Hi, This should work fine IMO. Perhaps you have established ISAKMP SA before applying ACL on the ASA?
HTH, -- Piotr Matusiak CCIE #19860 (R&S, Security) 2010/1/30 Asif Khan <[email protected]> > Hello group, > > > Topology: *R1 <-> ASA <-> R2* > Traffic between R1 lo0(1.1.1.1) and R2 lo0(2.2.2.2) protected by l2l IPSec. > > I am using the following ACL on both inside and outside interfaces of ASA: > > *access-list VPN extended deny udp any any log* > access-list VPN extended permit esp any any > access-group VPN in interface outside > access-group VPN in interface inside > * > *but I am able to bring up the tunnel from both inside and outside ... > > *Shouldn't blocking udp500/4500 block the tunnel construction?* > > Thanks in Advance, > - Asif > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
