Solved: ASA Understanding on ACL's

rbill1967 · ‎03-31-2010

I'm in the process of setting up VPN. The setup is easy but ACL's can be rather difficult to get working correctly even when something is missing. It seems I can ping and access my server network. I can access and ping my core switch with no problems. Anything pass that I cannot reach, ping or access.

I gone as far as creating a Standard ACL to an Extended and neither will work.

What is missing to make this work correctly?

Jennifer Halim · ‎04-05-2010

Assuming that the network that you are trying to access is connected to the ASA inside interface.

So if you run the command: "sh run nat", you should see a NAT exemption statement as follows:

nat (inside) 0 access-list

On that access-list, you should add an access-list line that says to permit from source: the network behind the core switch that you were trying to access towards the vpn ip pool subnet.

And on your core switch, if ASA is not the default gateway, you would need to add route for the ip pool subnet towards the ASA.

Hope that helps.

View solution in original post

craig bache · ‎03-31-2010

Hi

There are two access lists used in a typical IPsec VPN configuration. One access list is used to exempt traffic that is destined for the VPN tunnel from the NAT process. The other access list defines what traffic to encrypt, If these ACLs are incorrectly configured or missing, traffic might only flow in one direction across the VPN tunnel.

Be sure that you have configured all of the access lists necessary to complete your IPsec VPN configuration and that those access lists define the correct traffic. Are you able to post the ACL's.

Regards

rbill1967 · ‎04-01-2010

Here is what I have listed on ACL's pertaining to what I am allowing.

Standard list:

access-list IS-Split-Tunnel standard permit 192.255.255.0 255.255.255.0
access-list IS-Split-Tunnel standard permit 192.168.57.0 255.255.255.0
access-list IS-Split-Tunnel standard permit 10.0.0.0 255.0.0.0
access-list IS-Split-Tunnel standard permit 192.167.100.0 255.255.255.0

Extended List:

Jennifer Halim · ‎04-03-2010

Another access-list that is required is the NAT exemption access-list. You would need to add the new internal subnet towards the ip pool subnet.

Also remember to route traffic towards the ip pool in your internal switch/router towards the ASA firewall.

Hope that helps.

rbill1967 · ‎04-05-2010

halijenn

How about an example?

Jennifer Halim · ‎04-05-2010

Assuming that the network that you are trying to access is connected to the ASA inside interface.

So if you run the command: "sh run nat", you should see a NAT exemption statement as follows:

nat (inside) 0 access-list

On that access-list, you should add an access-list line that says to permit from source: the network behind the core switch that you were trying to access towards the vpn ip pool subnet.

And on your core switch, if ASA is not the default gateway, you would need to add route for the ip pool subnet towards the ASA.

Hope that helps.

rbill1967 · ‎08-03-2010

Here is my latest, but still no success in getting the rest of the way.