ACL's for L2L VPN
Posted on 2007-03-19
I came across a weird problem last week.
My ACL's for the match statements on the L2L VPN's have always contained the 'any' keyword in the source section.
eg. access-list VPN permit ip any 192.168.0.0 255.255.255.0
This has always worked in the past. I have recently deployed an ASA. I could see the VPN from the remote site (PIX 501, OS 6.5(3)) coming up, but the return tunnel from the ASA to the PIX wouldn't come up. It wasn't until I remove the any statement and specified the source network that the tunnel came up.
Is this by design, or is this supposed to work with any as the source address?