VPN ACL IP range -> IP range not working

azore2007 · ‎01-15-2008

Hi

I'm having a smaller problem and need some help to clarify it.

I'm NAT'ing my inside to my external interface when passing traffic through the VPN

So

access-list vpn extended permit ip external_interface 192.168.20.1 255.255.255.0

I get hitcounts on this but it doesnt work.

So I add this line instead (line 1)

access-list vpn extended permit ip external_interface HOST 192.168.20.5

access-list vpn extended line 2 permit ip external_interface 192.168.20.0/24

And I can successfully connect to that host through the VPN connection..

But why cant I use the network range (/24) ? Why must I use hosts to be able to pass traffic?

Lets say that I want 192.168.10.0/24 to be able to communicate with my other VPN side who has ip 192.168.20.0/24

My acl would look like this

access-list vpn extended permit ip 192.168.10.0/24 192.168.20.0/24

of course I have to insert another ACL rule in the no_nat ACL.

But that doesnt work either? I have to manually type in the hosts in the 192.168.20.x/24 network to be able to connect to them?

What am I doing wrong here?

Thanks

ajagadee · ‎01-15-2008

I assume this is either a Pix or an ASA. What is the on the other side of the VPN Tunnel. Is the other side configure to accept connection from your NATTed Address to the 192.168.20.0/24 range or only specific IP Addresses.

From the problem description, it looks like the remote side is configured for specific IPSEC Acl or permitting only specific traffic to hit the servers.

Regards,

Arul

azore2007 · ‎01-15-2008

Hi

This is a ASA 7.2.2, they are using a stonegate firewall

They have told typed how their ACL looks like and it looks good

So strange that If I only add host->hosts then it works

ajagadee · ‎01-15-2008

If they have their side configured correctly, then you need to configure the mirror acl for the interesting traffic on the ASA, bring up the tunnel, and look at the outputs of "show crypto ipsec sa" for encrypts/decrypts to see if the ASA is encrypting the packets and sending it to the remote peer or not.

If the remote side is configured for the class C range, can you reconfigure the ASA to mirror the remote ACL, bring up the tunnel and post the outputs of "show cry is sa" and "show crypto ipsec sa".

Regards,

Arul

azore2007 · ‎01-15-2008

The ACL looks mirrored, but still dont work

but addind that host -> host works like a charm

azore2007 · ‎01-15-2008

I have found something.. something strange

I try to start the VPN tunnel and i get this while debugging crypto ipsec 200

ASA(config)# IPSEC: New embryonic SA created @ 0x02644920,

SCB: 0x026401F8,

Direction: inbound <--

SPI : 0x132D3130

Session ID: 0x00003312

VPIF num : 0x00000001

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

Direction Inbound?

So I change my VPN ACL to make it host->host communication (from C net -> host) and restart the tunnel, I get the same message but this time its Direction: outbound

anyone got any idea?