ASA - 5520 - ACL

soofiahtesham · ‎06-16-2010

Hello everyone,

I have a quick and an easy one for you guys . I am using AS 5520 with the following versionsCisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5).

I already have VPN tunnel established....However I just to verify this some new configuration that I am about to do..

1> On either side of the VPN our clients are making the following changes...

permit ip host 10.240.96.98 172.30.2.0 0.0.0.255

permit ip host 10.240.96.98 172.30.150.0 0.0.0.255

permit ip host 10.240.96.98 172.30.209.0 0.0.0.255

permit ip host 10.240.96.98 172.30.202.0 0.0.0.255

My question what changes ( Commands ) I have to make on my end ( on ASA ) to allow this chnages to work.

Thanks in Advance

Federico Coto Fajardo · ‎06-16-2010

Hi,

If this ACL is the access-lits for VPN traffic, then you should remove any other statements on that ACL and include the list in the crypto map instance for this tunnel.

The exact commands that you need depends on the existing configuration.

Remember that the crypto ACL needs to be a mirror on both sides.

Federico.

soofiahtesham · ‎06-16-2010

Thanks for replying.

Yes the ACL is the access-lits for VPN traffic ( site to site to be more precise). How can be I more of a help in order find the exact commands .

Federico Coto Fajardo · ‎06-17-2010

You will need the same ACL but reversed on your side and apply it to the crypto map.

To check the exact syntax, please post the output of:

sh run crypto map (for the specific crypto map)

sh run access-list (for the ACL for interesting traffic for this tunnel)

Federico.

soofiahtesham · ‎06-17-2010

Thanks, I figured out the way for the crpto Map .

Can please tell me if there is some thing wrong with the configuration I am trying achive

So I am telneting into the ASA then goint into the config-t and applying these changes.

access-list outside_cryptomap_20 extended permit ip 172.30.2.0 255.255.255.0 10.240.96.98 255.255.255.0

access-list outside_cryptomap_20 extended permit ip 172.30.209.0 255.255.255.0 10.240.96.98 255.255.255.0

access-list outside_cryptomap_20 extended permit ip 172.30.202.0 255.255.255.0 10.240.96.98 255.255.255.0

Federico Coto Fajardo · ‎06-17-2010

Yes,

But you're missing this one:

access-list outside_cryptomap_20 extended permit ip 172.30.150.0 255.255.255.0 10.240.96.98 255.255.255.0

Also, when you're done....

Check that both ACLs are a mirror from one another.

Check under the correct crypto map, that you have applied the ACL.

Federico.

soofiahtesham · ‎06-17-2010

I got this errror message when I was trying to do one of the commands (
access-list outside_cryptomap_20 extended permit ip 172.30.2.0 255.255.255.0 10.240.96.98 255.255.255.0 )

I am thinking should i change netmask to ( 10.240.96.98 255.255.255.255 ) ... please advice

ERROR: IP address,mask <10.240.96.98,255.255.255.0> doesn't pair
Usage:
Extended access list:
Use this to configure policy for IP traffic through the firewall

[no] access-list [line ] [extended] {deny | permit}
                { | object-group { |
                }}
                {host | | interface | any |
                object-group }
                [ [] |
                object-group ]
                {host | | interface | any |
                object-group }
                [ [] |
                object-group ]
                [log [disable] | [] | [default] [interval ]]
[no] access-list [line ] {deny | permit} icmp
                {host | |
                object-group }
                { | object-group }
                [ | object-group ]
                [log [disable] | [] | [default] [interval ]]
[no] access-list webtype {deny|permit}
                url {|any} [log {disable | default | level}

Federico Coto Fajardo · ‎06-17-2010

If .98 is a host (not a network), then you define it with the mask you mentioned (255.255.255.255)

Federico.