Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

subnetmask in crypto acl changes when used in ipsec tunneling

I have a strange problem when setting up an ipsec-tunnel between my Cisco ASA 5520 (8.3(2)) and a remote Firewall1. At both firewalls we configure the ACL's with one entry for each network we want tunneled. On my side these networks are 158.36.44.0/24, 158.36.45.0/24, 158.36.46.0/24 and 158.36.60.0/24. At the remote site the network is 10.1.131.0/24. Traffic to/from the 158.36.46.0 and 158.36.60.0 works fine, but we cannot initiate traffic from remote site to 158.36.44.0 or 158.36.45.0, the logs says that the ACL's do not match. What I think is happening is that even if we configure one entry pr. network in the ACL, one of the firewall "simplifies" the 158.36.44.0/24 and 158.36.45.0/24-entries and instead uses 158.36.44.0/23 (mask 255.255.254.0) This address/mask should include both networks, but I think that the firewalls see this as an mismatch.

Any tips on this?

Everyone's tags (3)
2 REPLIES

Re: subnetmask in crypto acl changes when used in ipsec tunnelin

Hi,

If you define the crypto identities as /24 mask that's what it should use.

You can check it by doing a ''sh cry ipsec sa'' and check the SAs for the identities (it will show the networks with the masks being used to send traffic through the tunnel).

Unless you actually configure the interesting traffic to be /23, it shouldn't use this mask.

Federico.

Re: subnetmask in crypto acl changes when used in ipsec tunnelin

Checkpoint has a "send subnet/netmask" flag somewhere in the config of the vpn, look for that, sounds like thats your problem.

612
Views
0
Helpful
2
Replies
CreatePlease to create content