06-26-2008 08:24 AM - edited 03-09-2019 08:58 PM
Got a bit of a strange issue here. We have a LAN to LAN up and going if we allow all IP traffic to pass, but as soon as we start adding restrictions it won't work. I wind up with the IP address of the remote device in the logs as trying to connect. I have an ASA on this end and they have PIX on that end. He swears he has nat disabled for the tunnel, we both have NAT-T enabled.
Anyone got any ideas?
06-26-2008 08:54 AM
You'll have to be a bit more specific. Where are you placing these restrictions? Are you using sysopt connection permit-ipsec? Example of the logs you are seeing etc.
06-26-2008 10:46 AM
I am adding the restrictions as an ACL in IPSEC rules.
I edited out the addresses that I don't want out there. But the xx.xxx.150.17 address is the address of their PIX, the 192.168.49.0 is the subnet that I am allowing and xxx.xx.176.22 is the address he is trying to connect to.
I one line of the ACL that I have here is:
access-list outside_cryptomap_260 line 2 extended permit tcp host xxx.xx.176.22
192.168.49.0 255.255.255.0 eq telnet (hitcnt=0)
What I am not clear on is why we are seeing the PIX address there instead of the 192.168.49.0 addresses when they try to telnet.
06-26-2008 11:07 AM
This is not the correct way to filter the traffic in the tunnel.
Leave your cryptomap acls as...
access-list outside_cryptomap_260 extended permit ip host xxx.xx.176.22 192.168.49.0 255.255.255.0
and on the other end...
access-list outside_cryptomap_260 extended permit ip 192.168.49.0 255.255.255.0 host xxx.xx.176.22
To filter the traffic you can either remove "sysopt connection permit-ipsec/vpn" and use your interface acl's to filter the traffic.
Another option in the ASA is to use a vpn-filter. This link is for remote access vpn but it works for l2l as well.
06-26-2008 11:24 AM
Thanks...I was starting to come to the conclusion that was the wrong place to set the restrictions, but I didn't know where to look.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide