L2L Connection issues

Unanswered Question
Jun 26th, 2008
User Badges:

Got a bit of a strange issue here. We have a LAN to LAN up and going if we allow all IP traffic to pass, but as soon as we start adding restrictions it won't work. I wind up with the IP address of the remote device in the logs as trying to connect. I have an ASA on this end and they have PIX on that end. He swears he has nat disabled for the tunnel, we both have NAT-T enabled.


Anyone got any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 06/26/2008 - 08:54
User Badges:
  • Green, 3000 points or more

You'll have to be a bit more specific. Where are you placing these restrictions? Are you using sysopt connection permit-ipsec? Example of the logs you are seeing etc.

svanguilder Thu, 06/26/2008 - 10:46
User Badges:

I am adding the restrictions as an ACL in IPSEC rules.


I edited out the addresses that I don't want out there. But the xx.xxx.150.17 address is the address of their PIX, the 192.168.49.0 is the subnet that I am allowing and xxx.xx.176.22 is the address he is trying to connect to.


I one line of the ACL that I have here is:

access-list outside_cryptomap_260 line 2 extended permit tcp host xxx.xx.176.22

192.168.49.0 255.255.255.0 eq telnet (hitcnt=0)


What I am not clear on is why we are seeing the PIX address there instead of the 192.168.49.0 addresses when they try to telnet.



Attachment: 
acomiskey Thu, 06/26/2008 - 11:07
User Badges:
  • Green, 3000 points or more

This is not the correct way to filter the traffic in the tunnel.


Leave your cryptomap acls as...


access-list outside_cryptomap_260 extended permit ip host xxx.xx.176.22 192.168.49.0 255.255.255.0


and on the other end...


access-list outside_cryptomap_260 extended permit ip 192.168.49.0 255.255.255.0 host xxx.xx.176.22


To filter the traffic you can either remove "sysopt connection permit-ipsec/vpn" and use your interface acl's to filter the traffic.


Another option in the ASA is to use a vpn-filter. This link is for remote access vpn but it works for l2l as well.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml


svanguilder Thu, 06/26/2008 - 11:24
User Badges:

Thanks...I was starting to come to the conclusion that was the wrong place to set the restrictions, but I didn't know where to look.

Actions

This Discussion