06-26-2009 07:19 AM
Hi everyone, please i have problems with same l2l vpn with a ASA ver. 7.2 and same checkpoint and i have a deny line y the crypto acl. Is that posible or it coud be same problem related with this?? I don't have maches in this lines.
This is the crypto acl.
access-list xxx extended deny ip 172.0.0.0 255.255.0.0 host VMCPRD
access-list xxx extended deny ip 172.16.1.0 255.255.255.0 host VMCPRD
access-list xxx extended deny ip 10.167.0.0 255.255.240.0 host VMCPRD
access-list xxx extended permit ip 10.167.0.0 255.255.240.0 132.145.0.0 255.255.0.0
access-list xxx extended permit ip 10.167.0.0 255.255.240.0 10.162.0.0 255.255.0.0
access-list xxx extended permit ip 10.167.0.0 255.255.240.0 200.123.188.0 255.255.255.0
access-list xxx extended permit ip 10.167.0.0 255.255.240.0 172.22.19.0 255.255.255.0
access-list xxx extended permit ip 172.0.0.0 255.255.0.0 132.145.0.0 255.255.0.0
access-list xxx extended permit ip 172.0.0.0 255.255.0.0 10.162.0.0 255.255.0.0
Thanks.
Regardss!!!
06-26-2009 10:58 AM
Are those IP ranges able to get to VMCPRD hosts? Is that what is happening? I'm not clear on what you mean. But let me give this a shot...
Since this is a crypto match-address ACL, I would remove the deny statements and only allow traffic between the local subnets and remote subnets. Then I would add a deny ACL statement in the ethernet interface. Hope this helps.
06-29-2009 10:30 AM
Hi!!!
Yes, may be I need to be more clear. I need all the trafic to be encrypted except the deny lines but I need that all trafic pass throw the firewall. That's the idea. Thanks a lot.
Regards.
06-29-2009 10:32 AM
The VMCPRD has this ip address 10.162.7.19. Igf you see it is in the interestrin traffic that i declare in the crypto acl.
06-30-2009 09:03 AM
Have you defined the crypto acl at the other end to not encrypt 10.162.7.19 to the other IP ranges? Also, I try replacing the name "VMCPRD" on the ACL and replace it with the IP address instead. Since I have not seen a deny statement used on a crypto acl, I hope someone else can assist.
Good luck.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: