Hi

We are having a IPsec VPN Tunnel setup with client.

The far site gave access to a new range (a website basically hosting on their site)-10.40.36.173:8085

They allowed traffic across the tunnel from: 10.40.36.173:8085  to      10.20.42.0/23, 10.21.42.0/23, 192.168.42.0/24

From my end we are using 3 IP Ranges when sending traffic to farsite:

10.20.42.0/23

10.21.42.0/23
192.168.42.0/24
 

To make sure the traffic that is sent between both end points is sent  across the tunnel encrypted and not via another channel the I want to  write Crypto ACL configured on my side which was already mirrored on  far end.

So I just logged on ASA CLI and went to global mode and added the ACL and no nat to access the destination point from all of our IP Ranges as below,

access-list nonat  extended permit ip 192.168.42.0 255.255.255.0 host 10.40.36.173

access-list nonat line 11 extended permit ip 10.40.42.0 255.255.254.0 host 10.40.36.173

access-list nonat line 11 extended permit ip 10.41.42.0 255.255.254.0 host 10.40.36.173

access-list xx line 4 extended permit ip 192.168.42.0 255.255.255.0 host 10.40.36.173 (hitcnt=30) 0x30941176

access-list xx line 4 extended permit ip 10.40.42.0 255.255.254.0 host 10.40.36.173 (hitcnt=0) 0x30941176

access-list xx line 4 extended permit ip 10.41.42.0 255.255.254.0 host 10.40.36.173 (hitcnt=0) 0x30941176

I cant access though from any of the range but can access all previous configured tools, basically newbee to firewall any help much appreciated

I hope I have not confused anyone, if anyone has any questions please let me know, I look forward for your valuable response,