Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
346
Views
0
Helpful
4
Replies

L2L Connection issues

svanguilder
Level 1
Level 1

‎06-26-2008 08:24 AM - edited ‎03-09-2019 08:58 PM

Got a bit of a strange issue here. We have a LAN to LAN up and going if we allow all IP traffic to pass, but as soon as we start adding restrictions it won't work. I wind up with the IP address of the remote device in the logs as trying to connect. I have an ASA on this end and they have PIX on that end. He swears he has nat disabled for the tunnel, we both have NAT-T enabled.

Anyone got any ideas?

Labels:
0 Helpful
4 Replies 4

acomiskey
Level 10
Level 10

‎06-26-2008 08:54 AM

You'll have to be a bit more specific. Where are you placing these restrictions? Are you using sysopt connection permit-ipsec? Example of the logs you are seeing etc.

0 Helpful

svanguilder
Level 1
Level 1
In response to acomiskey

‎06-26-2008 10:46 AM

I am adding the restrictions as an ACL in IPSEC rules.

I edited out the addresses that I don't want out there. But the xx.xxx.150.17 address is the address of their PIX, the 192.168.49.0 is the subnet that I am allowing and xxx.xx.176.22 is the address he is trying to connect to.

I one line of the ACL that I have here is:

access-list outside_cryptomap_260 line 2 extended permit tcp host xxx.xx.176.22

192.168.49.0 255.255.255.0 eq telnet (hitcnt=0)

What I am not clear on is why we are seeing the PIX address there instead of the 192.168.49.0 addresses when they try to telnet.

23582-ajuba to FV
0 Helpful

acomiskey
Level 10
Level 10
In response to svanguilder

‎06-26-2008 11:07 AM

This is not the correct way to filter the traffic in the tunnel.

Leave your cryptomap acls as...

access-list outside_cryptomap_260 extended permit ip host xxx.xx.176.22 192.168.49.0 255.255.255.0

and on the other end...

access-list outside_cryptomap_260 extended permit ip 192.168.49.0 255.255.255.0 host xxx.xx.176.22

To filter the traffic you can either remove "sysopt connection permit-ipsec/vpn" and use your interface acl's to filter the traffic.

Another option in the ASA is to use a vpn-filter. This link is for remote access vpn but it works for l2l as well.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

0 Helpful

svanguilder
Level 1
Level 1
In response to acomiskey

‎06-26-2008 11:24 AM

Thanks...I was starting to come to the conclusion that was the wrong place to set the restrictions, but I didn't know where to look.

0 Helpful
Customers Also Viewed These Support Documents