L2L VPN - Permitting a new Network

johnnymac · ‎03-16-2007

Hi,

I currently have a L2L VPN that connects a remote office. It is partly managed by a third party. Currently it permits traffic from our internal LAN 1.0.84.0/24. I am in the process of re-addressing our internal LAN. I have created, Vlan'd and subnetted 4 new subnets using 192.168.32.0/26 192.168.32.64/26 etc etc. The trouble I?m having is connectivity from the new subnets to the remote site.

The guy at the third party has made the changes his end to permit the new subnets. I have added rules to my access-lists as required but no joy.

access-list nonat extended permit ip 192.168.32.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list 127 extended permit ip 192.168.32.0 255.255.255.0 172.16.0.0 255.255.255.0

I think the third party guy has just permitted 192.168.32.0/24, and I?m wondering if that is correct as I?m actually using 192.168.32.0/26, 192.168.32.64/26, 192.168.128.0/26 192.168.32.192/26. Should subnets be permitted individually or would 192.168.32.0/24 be a workable summarization?

Many Thanks

J Mack

Jon Marshall · ‎03-16-2007

Hi

It shouldn't make any difference to be honest. The VPN device should just compare the address to it's crypto map so if it's crypto map says permit the /24 range and the IP address is from the 192.168.32.0/26 range it won't care. The subnet mask is not carried in the IP header of the packets.

I suspect the issue is elsewhere. Do you have a sanitised copy of your config and the remote end ??

If you bring the tunnel down and then try and connect from a 192.168.32.x addresses does the tunnel come up but no traffic passes or does the tunnel fail to initialise ?

HTH

Jon