Some questions regarding the above command.
From my understanding this command implicitly generates the following for an interface enabled for IPSEC, say the outside interface: access-list permit 50 any host access-list permit 51 any host access-list permit udp any host eq
500 Is this understanding correct?- The the sysopt command is enabled, the ACL tied to the crypto map will be implicitly trusted, allowing the decrypted IPSEC packets to be permitted even if the outside interface ACL does not explicitly allow for it. Does this mean that there's potential security issue with this? For example the following is the ACL tied to the crypto map:
Crypto map ACL: access-list ipsectraffic permit tcp host 10.1.1.3 any access-list ipsectraffic permit tcp host 10.1.1.4 any
Outside interface ACL: access-list outsideACL deny ip any any
Effective outside interface ACL:
access-list outsideACL permit any host 10.1.1.3 access-list outsideACL permit any host 10.1.1.4 access-list outsideACL deny ip any any
Are static translations implicitly created as well? If so why is this still needed in some of Cisco's literature? nat (inside) 0 access-list ipsectraffic
Lotsa questions, but TIA for those who clear up my understanding.