Crypto acl with a deny line for L2L vpn

Unanswered Question
Jun 26th, 2009

Hi everyone, please i have problems with same l2l vpn with a ASA ver. 7.2 and same checkpoint and i have a deny line y the crypto acl. Is that posible or it coud be same problem related with this?? I don't have maches in this lines.

This is the crypto acl.

access-list xxx extended deny ip 172.0.0.0 255.255.0.0 host VMCPRD

access-list xxx extended deny ip 172.16.1.0 255.255.255.0 host VMCPRD

access-list xxx extended deny ip 10.167.0.0 255.255.240.0 host VMCPRD

access-list xxx extended permit ip 10.167.0.0 255.255.240.0 132.145.0.0 255.255.0.0

access-list xxx extended permit ip 10.167.0.0 255.255.240.0 10.162.0.0 255.255.0.0

access-list xxx extended permit ip 10.167.0.0 255.255.240.0 200.123.188.0 255.255.255.0

access-list xxx extended permit ip 10.167.0.0 255.255.240.0 172.22.19.0 255.255.255.0

access-list xxx extended permit ip 172.0.0.0 255.255.0.0 132.145.0.0 255.255.0.0

access-list xxx extended permit ip 172.0.0.0 255.255.0.0 10.162.0.0 255.255.0.0

Thanks.

Regardss!!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jliscano Fri, 06/26/2009 - 10:58

Are those IP ranges able to get to VMCPRD hosts? Is that what is happening? I'm not clear on what you mean. But let me give this a shot...

Since this is a crypto match-address ACL, I would remove the deny statements and only allow traffic between the local subnets and remote subnets. Then I would add a deny ACL statement in the ethernet interface. Hope this helps.

evucinovich Mon, 06/29/2009 - 10:30

Hi!!!

Yes, may be I need to be more clear. I need all the trafic to be encrypted except the deny lines but I need that all trafic pass throw the firewall. That's the idea. Thanks a lot.

Regards.

evucinovich Mon, 06/29/2009 - 10:32

The VMCPRD has this ip address 10.162.7.19. Igf you see it is in the interestrin traffic that i declare in the crypto acl.

jliscano Tue, 06/30/2009 - 09:03

Have you defined the crypto acl at the other end to not encrypt 10.162.7.19 to the other IP ranges? Also, I try replacing the name "VMCPRD" on the ACL and replace it with the IP address instead. Since I have not seen a deny statement used on a crypto acl, I hope someone else can assist.

Good luck.

Actions

This Discussion