01-15-2008 02:44 AM - edited 02-21-2020 03:28 PM
Hi
I'm having a smaller problem and need some help to clarify it.
I'm NAT'ing my inside to my external interface when passing traffic through the VPN
So
access-list vpn extended permit ip external_interface 192.168.20.1 255.255.255.0
I get hitcounts on this but it doesnt work.
So I add this line instead (line 1)
access-list vpn extended permit ip external_interface HOST 192.168.20.5
access-list vpn extended line 2 permit ip external_interface 192.168.20.0/24
And I can successfully connect to that host through the VPN connection..
But why cant I use the network range (/24) ? Why must I use hosts to be able to pass traffic?
Lets say that I want 192.168.10.0/24 to be able to communicate with my other VPN side who has ip 192.168.20.0/24
My acl would look like this
access-list vpn extended permit ip 192.168.10.0/24 192.168.20.0/24
of course I have to insert another ACL rule in the no_nat ACL.
But that doesnt work either? I have to manually type in the hosts in the 192.168.20.x/24 network to be able to connect to them?
What am I doing wrong here?
Thanks
01-15-2008 07:54 AM
I assume this is either a Pix or an ASA. What is the on the other side of the VPN Tunnel. Is the other side configure to accept connection from your NATTed Address to the 192.168.20.0/24 range or only specific IP Addresses.
From the problem description, it looks like the remote side is configured for specific IPSEC Acl or permitting only specific traffic to hit the servers.
Regards,
Arul
01-15-2008 08:19 AM
Hi
This is a ASA 7.2.2, they are using a stonegate firewall
They have told typed how their ACL looks like and it looks good
So strange that If I only add host->hosts then it works
01-15-2008 08:39 AM
If they have their side configured correctly, then you need to configure the mirror acl for the interesting traffic on the ASA, bring up the tunnel, and look at the outputs of "show crypto ipsec sa" for encrypts/decrypts to see if the ASA is encrypting the packets and sending it to the remote peer or not.
If the remote side is configured for the class C range, can you reconfigure the ASA to mirror the remote ACL, bring up the tunnel and post the outputs of "show cry is sa" and "show crypto ipsec sa".
Regards,
Arul
01-15-2008 09:07 AM
The ACL looks mirrored, but still dont work
but addind that host -> host works like a charm
01-15-2008 09:50 AM
I have found something.. something strange
I try to start the VPN tunnel and i get this while debugging crypto ipsec 200
ASA(config)# IPSEC: New embryonic SA created @ 0x02644920,
SCB: 0x026401F8,
Direction: inbound <--
SPI : 0x132D3130
Session ID: 0x00003312
VPIF num : 0x00000001
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Direction Inbound?
So I change my VPN ACL to make it host->host communication (from C net -> host) and restart the tunnel, I get the same message but this time its Direction: outbound
anyone got any idea?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide