VPN ACL IP range -> IP range not working

Unanswered Question
Jan 15th, 2008
User Badges:


I'm having a smaller problem and need some help to clarify it.

I'm NAT'ing my inside to my external interface when passing traffic through the VPN


access-list vpn extended permit ip external_interface

I get hitcounts on this but it doesnt work.

So I add this line instead (line 1)

access-list vpn extended permit ip external_interface HOST

access-list vpn extended line 2 permit ip external_interface

And I can successfully connect to that host through the VPN connection..

But why cant I use the network range (/24) ? Why must I use hosts to be able to pass traffic?

Lets say that I want to be able to communicate with my other VPN side who has ip

My acl would look like this

access-list vpn extended permit ip

of course I have to insert another ACL rule in the no_nat ACL.

But that doesnt work either? I have to manually type in the hosts in the 192.168.20.x/24 network to be able to connect to them?

What am I doing wrong here?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ajagadee Tue, 01/15/2008 - 07:54
User Badges:
  • Cisco Employee,

I assume this is either a Pix or an ASA. What is the on the other side of the VPN Tunnel. Is the other side configure to accept connection from your NATTed Address to the range or only specific IP Addresses.

From the problem description, it looks like the remote side is configured for specific IPSEC Acl or permitting only specific traffic to hit the servers.



azore2007 Tue, 01/15/2008 - 08:19
User Badges:


This is a ASA 7.2.2, they are using a stonegate firewall

They have told typed how their ACL looks like and it looks good

So strange that If I only add host->hosts then it works

ajagadee Tue, 01/15/2008 - 08:39
User Badges:
  • Cisco Employee,

If they have their side configured correctly, then you need to configure the mirror acl for the interesting traffic on the ASA, bring up the tunnel, and look at the outputs of "show crypto ipsec sa" for encrypts/decrypts to see if the ASA is encrypting the packets and sending it to the remote peer or not.

If the remote side is configured for the class C range, can you reconfigure the ASA to mirror the remote ACL, bring up the tunnel and post the outputs of "show cry is sa" and "show crypto ipsec sa".



azore2007 Tue, 01/15/2008 - 09:07
User Badges:

The ACL looks mirrored, but still dont work

but addind that host -> host works like a charm

azore2007 Tue, 01/15/2008 - 09:50
User Badges:

I have found something.. something strange

I try to start the VPN tunnel and i get this while debugging crypto ipsec 200

ASA(config)# IPSEC: New embryonic SA created @ 0x02644920,

SCB: 0x026401F8,

Direction: inbound <--

SPI : 0x132D3130

Session ID: 0x00003312

VPIF num : 0x00000001

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

Direction Inbound?

So I change my VPN ACL to make it host->host communication (from C net -> host) and restart the tunnel, I get the same message but this time its Direction: outbound

anyone got any idea?


This Discussion