VPN ACL IP range -> IP range not working

Unanswered Question
Jan 15th, 2008
User Badges:

Hi


I'm having a smaller problem and need some help to clarify it.


I'm NAT'ing my inside to my external interface when passing traffic through the VPN


So


access-list vpn extended permit ip external_interface 192.168.20.1 255.255.255.0


I get hitcounts on this but it doesnt work.


So I add this line instead (line 1)

access-list vpn extended permit ip external_interface HOST 192.168.20.5

access-list vpn extended line 2 permit ip external_interface 192.168.20.0/24


And I can successfully connect to that host through the VPN connection..


But why cant I use the network range (/24) ? Why must I use hosts to be able to pass traffic?



Lets say that I want 192.168.10.0/24 to be able to communicate with my other VPN side who has ip 192.168.20.0/24


My acl would look like this


access-list vpn extended permit ip 192.168.10.0/24 192.168.20.0/24


of course I have to insert another ACL rule in the no_nat ACL.


But that doesnt work either? I have to manually type in the hosts in the 192.168.20.x/24 network to be able to connect to them?


What am I doing wrong here?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajagadee Tue, 01/15/2008 - 07:54
User Badges:
  • Cisco Employee,

I assume this is either a Pix or an ASA. What is the on the other side of the VPN Tunnel. Is the other side configure to accept connection from your NATTed Address to the 192.168.20.0/24 range or only specific IP Addresses.


From the problem description, it looks like the remote side is configured for specific IPSEC Acl or permitting only specific traffic to hit the servers.


Regards,

Arul

azore2007 Tue, 01/15/2008 - 08:19
User Badges:

Hi


This is a ASA 7.2.2, they are using a stonegate firewall


They have told typed how their ACL looks like and it looks good


So strange that If I only add host->hosts then it works


ajagadee Tue, 01/15/2008 - 08:39
User Badges:
  • Cisco Employee,

If they have their side configured correctly, then you need to configure the mirror acl for the interesting traffic on the ASA, bring up the tunnel, and look at the outputs of "show crypto ipsec sa" for encrypts/decrypts to see if the ASA is encrypting the packets and sending it to the remote peer or not.


If the remote side is configured for the class C range, can you reconfigure the ASA to mirror the remote ACL, bring up the tunnel and post the outputs of "show cry is sa" and "show crypto ipsec sa".


Regards,

Arul

azore2007 Tue, 01/15/2008 - 09:07
User Badges:

The ACL looks mirrored, but still dont work


but addind that host -> host works like a charm



azore2007 Tue, 01/15/2008 - 09:50
User Badges:

I have found something.. something strange


I try to start the VPN tunnel and i get this while debugging crypto ipsec 200


ASA(config)# IPSEC: New embryonic SA created @ 0x02644920,

SCB: 0x026401F8,

Direction: inbound <--

SPI : 0x132D3130

Session ID: 0x00003312

VPIF num : 0x00000001

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds



Direction Inbound?


So I change my VPN ACL to make it host->host communication (from C net -> host) and restart the tunnel, I get the same message but this time its Direction: outbound


anyone got any idea?

Actions

This Discussion