L2L Connection issues

Unanswered Question
Jun 26th, 2008

Got a bit of a strange issue here. We have a LAN to LAN up and going if we allow all IP traffic to pass, but as soon as we start adding restrictions it won't work. I wind up with the IP address of the remote device in the logs as trying to connect. I have an ASA on this end and they have PIX on that end. He swears he has nat disabled for the tunnel, we both have NAT-T enabled.

Anyone got any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 06/26/2008 - 08:54

You'll have to be a bit more specific. Where are you placing these restrictions? Are you using sysopt connection permit-ipsec? Example of the logs you are seeing etc.

svanguilder Thu, 06/26/2008 - 10:46

I am adding the restrictions as an ACL in IPSEC rules.

I edited out the addresses that I don't want out there. But the xx.xxx.150.17 address is the address of their PIX, the 192.168.49.0 is the subnet that I am allowing and xxx.xx.176.22 is the address he is trying to connect to.

I one line of the ACL that I have here is:

access-list outside_cryptomap_260 line 2 extended permit tcp host xxx.xx.176.22

192.168.49.0 255.255.255.0 eq telnet (hitcnt=0)

What I am not clear on is why we are seeing the PIX address there instead of the 192.168.49.0 addresses when they try to telnet.

Attachment: 
acomiskey Thu, 06/26/2008 - 11:07

This is not the correct way to filter the traffic in the tunnel.

Leave your cryptomap acls as...

access-list outside_cryptomap_260 extended permit ip host xxx.xx.176.22 192.168.49.0 255.255.255.0

and on the other end...

access-list outside_cryptomap_260 extended permit ip 192.168.49.0 255.255.255.0 host xxx.xx.176.22

To filter the traffic you can either remove "sysopt connection permit-ipsec/vpn" and use your interface acl's to filter the traffic.

Another option in the ASA is to use a vpn-filter. This link is for remote access vpn but it works for l2l as well.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

svanguilder Thu, 06/26/2008 - 11:24

Thanks...I was starting to come to the conclusion that was the wrong place to set the restrictions, but I didn't know where to look.

Actions

This Discussion