L2L VPN Problem - ACL over-riding Crypto ACL
Posted on 2009-02-13
I have an L2L tunnel in place between a PIX515E and a 2811 router. I have one subnet on the PIX able to access six on the 2811 end with no problems. However, I have two other subnets on the PIX that can't get to the subnets on the 2811.
I have set logging to debug and when I try access on either of the two subnets that aren't working I can see the traffic being blocked by the ACL applied to the interfaces that those subnets are on. This is despite there being crypto ACLs in place to allow that traffic to get to subnets on the 2811.
Are crypto ACLs evaluated before standard ACLs, which should stop the ACL on the interface from blocking the outgoing traffic destined for the 2811 ?
I also have "sysopt connection permit-ipsec" set on the PIX.