ACL on ASA Problem

king06aaa · ‎07-22-2008

I am a newbie when it comes to configuring firewalls. I am configuring an ASA and am having a problem with the ACL's.

When I establish an IPSec tunnel coming into the appliance, I can make the connection but I can't see anything on the network. When I look at the log I am getting numerous messages stating:

"Deny inbound UDP from 192.168.5.1/138 to 192.168.5.255/138 on interface Outside".

The IP address above is just the IP address it received from the pool I identified.

I have tried adding specific ACE's at the top of the ACL on the outside interface to allow the 198.162.5 range but to no avail.

Does anyone have ideas what to look for?

chaitu_kranthi · ‎07-22-2008

Hi,

After creating hte IPSec Tunnel, you have to create a ACL's and you have to map the IPSec to that ACL;

See the below exam: for better understanding.

If you are creating the IPSec with the match ID as 133 then

crypto map 133 ipsec-isakmp

set peer X.X.X.X

set transform-set TrippleDes

match address 133

ACL Should be.

access-list 133 permit ip 192.168.0.0 0.0.255.255 100.9.254.0 0.0.0.255

access-list 133 permit ip 100.0.0.0 0.255.255.255 100.9.254.0 0.0.0.255

pls rate me if it helps to you

king06aaa · ‎07-23-2008

Hi,

Thanks for your reply. I guess I wasn't clear.

This isn't a L2L IPSec tunnel. It's a temporary tunnel created by using the Cisco IPSec client. In other words, by a user wanting to VPN in from home to access the network.