03-31-2010
02:20 PM
- last edited on
02-21-2020
11:20 PM
by
cc_security_adm
I'm in the process of setting up VPN. The setup is easy but ACL's can be rather difficult to get working correctly even when something is missing. It seems I can ping and access my server network. I can access and ping my core switch with no problems. Anything pass that I cannot reach, ping or access.
I gone as far as creating a Standard ACL to an Extended and neither will work.
What is missing to make this work correctly?
Solved! Go to Solution.
04-05-2010 05:36 AM
Assuming that the network that you are trying to access is connected to the ASA inside interface.
So if you run the command: "sh run nat", you should see a NAT exemption statement as follows:
nat (inside) 0 access-list
On that access-list, you should add an access-list line that says to permit from source: the network behind the core switch that you were trying to access towards the vpn ip pool subnet.
And on your core switch, if ASA is not the default gateway, you would need to add route for the ip pool subnet towards the ASA.
Hope that helps.
03-31-2010 02:58 PM
Hi
There are two access lists used in a typical IPsec VPN configuration. One access list is used to exempt traffic that is destined for the VPN tunnel from the NAT process. The other access list defines what traffic to encrypt, If these ACLs are incorrectly configured or missing, traffic might only flow in one direction across the VPN tunnel.
Be sure that you have configured all of the access lists necessary to complete your IPsec VPN configuration and that those access lists define the correct traffic. Are you able to post the ACL's.
Regards
04-01-2010 07:24 AM
Here is what I have listed on ACL's pertaining to what I am allowing.
Standard list:
access-list IS-Split-Tunnel standard permit 192.255.255.0 255.255.255.0
access-list IS-Split-Tunnel standard permit 192.168.57.0 255.255.255.0
access-list IS-Split-Tunnel standard permit 10.0.0.0 255.0.0.0
access-list IS-Split-Tunnel standard permit 192.167.100.0 255.255.255.0
Extended List:
04-03-2010 12:27 AM
Another access-list that is required is the NAT exemption access-list. You would need to add the new internal subnet towards the ip pool subnet.
Also remember to route traffic towards the ip pool in your internal switch/router towards the ASA firewall.
Hope that helps.
04-05-2010 05:14 AM
How about an example?
04-05-2010 05:36 AM
Assuming that the network that you are trying to access is connected to the ASA inside interface.
So if you run the command: "sh run nat", you should see a NAT exemption statement as follows:
nat (inside) 0 access-list
On that access-list, you should add an access-list line that says to permit from source: the network behind the core switch that you were trying to access towards the vpn ip pool subnet.
And on your core switch, if ASA is not the default gateway, you would need to add route for the ip pool subnet towards the ASA.
Hope that helps.
08-03-2010 12:01 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: