L2L Connection issues

Unanswered Question
Jun 26th, 2008
User Badges:

Got a bit of a strange issue here. We have a LAN to LAN up and going if we allow all IP traffic to pass, but as soon as we start adding restrictions it won't work. I wind up with the IP address of the remote device in the logs as trying to connect. I have an ASA on this end and they have PIX on that end. He swears he has nat disabled for the tunnel, we both have NAT-T enabled.

Anyone got any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Thu, 06/26/2008 - 08:54
User Badges:
  • Green, 3000 points or more

You'll have to be a bit more specific. Where are you placing these restrictions? Are you using sysopt connection permit-ipsec? Example of the logs you are seeing etc.

svanguilder Thu, 06/26/2008 - 10:46
User Badges:

I am adding the restrictions as an ACL in IPSEC rules.

I edited out the addresses that I don't want out there. But the xx.xxx.150.17 address is the address of their PIX, the is the subnet that I am allowing and xxx.xx.176.22 is the address he is trying to connect to.

I one line of the ACL that I have here is:

access-list outside_cryptomap_260 line 2 extended permit tcp host xxx.xx.176.22 eq telnet (hitcnt=0)

What I am not clear on is why we are seeing the PIX address there instead of the addresses when they try to telnet.

acomiskey Thu, 06/26/2008 - 11:07
User Badges:
  • Green, 3000 points or more

This is not the correct way to filter the traffic in the tunnel.

Leave your cryptomap acls as...

access-list outside_cryptomap_260 extended permit ip host xxx.xx.176.22

and on the other end...

access-list outside_cryptomap_260 extended permit ip host xxx.xx.176.22

To filter the traffic you can either remove "sysopt connection permit-ipsec/vpn" and use your interface acl's to filter the traffic.

Another option in the ASA is to use a vpn-filter. This link is for remote access vpn but it works for l2l as well.


svanguilder Thu, 06/26/2008 - 11:24
User Badges:

Thanks...I was starting to come to the conclusion that was the wrong place to set the restrictions, but I didn't know where to look.


This Discussion