06-02-2012 07:46 AM - edited 03-11-2019 04:14 PM
Hi
We are having a IPsec VPN Tunnel setup with client.
The far site gave access to a new range (a website basically hosting on their site)-10.40.36.173:8085
They allowed traffic across the tunnel from: 10.40.36.173:8085 to 10.20.42.0/23, 10.21.42.0/23, 192.168.42.0/24
From my end we are using 3 IP Ranges when sending traffic to farsite:
10.20.42.0/23
10.21.42.0/23
192.168.42.0/24
To make sure the traffic that is sent between both end points is sent across the tunnel encrypted and not via another channel the I want to write Crypto ACL configured on my side which was already mirrored on far end.
So I just logged on ASA CLI and went to global mode and added the ACL and no nat to access the destination point from all of our IP Ranges as below,
access-list nonat extended permit ip 192.168.42.0 255.255.255.0 host 10.40.36.173
access-list nonat line 11 extended permit ip 10.40.42.0 255.255.254.0 host 10.40.36.173
access-list nonat line 11 extended permit ip 10.41.42.0 255.255.254.0 host 10.40.36.173
access-list xx line 4 extended permit ip 192.168.42.0 255.255.255.0 host 10.40.36.173 (hitcnt=30) 0x30941176
access-list xx line 4 extended permit ip 10.40.42.0 255.255.254.0 host 10.40.36.173 (hitcnt=0) 0x30941176
access-list xx line 4 extended permit ip 10.41.42.0 255.255.254.0 host 10.40.36.173 (hitcnt=0) 0x30941176
I cant access though from any of the range but can access all previous configured tools, basically newbee to firewall any help much appreciated
I hope I have not confused anyone, if anyone has any questions please let me know, I look forward for your valuable response,
Solved! Go to Solution.
06-02-2012 05:25 PM
Hi,
Please run a packet-tracer:
packet-tracer input inside icmp local_network 8 0 remote_network detail
Please attach the output.
Thanks in advance.
Sent from Cisco Technical Support Android App
06-02-2012 09:26 AM
Hi,
Are you able to ping from your LAN to the remote host? What exactly stopped working?
Thanks.
Sent from Cisco Technical Support Android App
06-02-2012 10:49 AM
Hi
Thanks for your reply
Well I cant ping from LAN to remote host either telnet as well on the ports requested, as it is a new acl added to crypto tunnel
do I need to do anything like clear crypto ipsec sa or clear crypto iskamp sa to reestablish the tunnel, as we havent got no one on other side at the moment to actually test.
06-02-2012 08:13 PM
have the tunnel negotiations completed successfully after the change? what does ur sh cry ipsec sa output look like? as Jav mentioned, a packet tracer from your specified local network to the remote peer network will basically tell us the exact problem. Oh, the power of ASA's.. gotta love the IOS
06-02-2012 05:25 PM
Hi,
Please run a packet-tracer:
packet-tracer input inside icmp local_network 8 0 remote_network detail
Please attach the output.
Thanks in advance.
Sent from Cisco Technical Support Android App
06-20-2012 01:10 PM
Its a fault with peer ip , assigned crypto map and renegotiated, tunnel up
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide