cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
574
Views
0
Helpful
4
Replies

Crypto acl with a deny line for L2L vpn

evucinovich
Level 1
Level 1

Hi everyone, please i have problems with same l2l vpn with a ASA ver. 7.2 and same checkpoint and i have a deny line y the crypto acl. Is that posible or it coud be same problem related with this?? I don't have maches in this lines.

This is the crypto acl.

access-list xxx extended deny ip 172.0.0.0 255.255.0.0 host VMCPRD

access-list xxx extended deny ip 172.16.1.0 255.255.255.0 host VMCPRD

access-list xxx extended deny ip 10.167.0.0 255.255.240.0 host VMCPRD

access-list xxx extended permit ip 10.167.0.0 255.255.240.0 132.145.0.0 255.255.0.0

access-list xxx extended permit ip 10.167.0.0 255.255.240.0 10.162.0.0 255.255.0.0

access-list xxx extended permit ip 10.167.0.0 255.255.240.0 200.123.188.0 255.255.255.0

access-list xxx extended permit ip 10.167.0.0 255.255.240.0 172.22.19.0 255.255.255.0

access-list xxx extended permit ip 172.0.0.0 255.255.0.0 132.145.0.0 255.255.0.0

access-list xxx extended permit ip 172.0.0.0 255.255.0.0 10.162.0.0 255.255.0.0

Thanks.

Regardss!!!

4 Replies 4

jliscano
Level 1
Level 1

Are those IP ranges able to get to VMCPRD hosts? Is that what is happening? I'm not clear on what you mean. But let me give this a shot...

Since this is a crypto match-address ACL, I would remove the deny statements and only allow traffic between the local subnets and remote subnets. Then I would add a deny ACL statement in the ethernet interface. Hope this helps.

Hi!!!

Yes, may be I need to be more clear. I need all the trafic to be encrypted except the deny lines but I need that all trafic pass throw the firewall. That's the idea. Thanks a lot.

Regards.

The VMCPRD has this ip address 10.162.7.19. Igf you see it is in the interestrin traffic that i declare in the crypto acl.

Have you defined the crypto acl at the other end to not encrypt 10.162.7.19 to the other IP ranges? Also, I try replacing the name "VMCPRD" on the ACL and replace it with the IP address instead. Since I have not seen a deny statement used on a crypto acl, I hope someone else can assist.

Good luck.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: