I have a tunnel set-up on my Cisco 1760, with static IP endpoints and access list applied in the crypto map. I dont know the remote VPN endpoint equipment/manufacturer.
The acl on my side states "permit ip 192.168.28.0 0.0.0.255 192.168.202.00.0.0.255" but I saw with the "sh crypto ipsec sa" that the remote network 192.168.202.0 is accessing not only the allowed local network but also a host on a different network of my site (172.16.100.x).
How is this possible ? Is there a way to control that ?
crypto isakmp key 0 PSKEY address Remote_VPN_Endpoint no-xauth
crypto map tunel 40 ipsec-isakmp set peer Remote_VPN_Endpoint set security-association lifetime seconds 28800 set transform-set vpn set pfs group2 match address 101
ip access-list extended 101 permit ip 192.168.28.0 0.0.0.255 192.168.202.0 0.0.0.255