subnetmask in crypto acl changes when used in ipsec tunneling

cisco · ‎10-22-2010

I have a strange problem when setting up an ipsec-tunnel between my Cisco ASA 5520 (8.3(2)) and a remote Firewall1. At both firewalls we configure the ACL's with one entry for each network we want tunneled. On my side these networks are 158.36.44.0/24, 158.36.45.0/24, 158.36.46.0/24 and 158.36.60.0/24. At the remote site the network is 10.1.131.0/24. Traffic to/from the 158.36.46.0 and 158.36.60.0 works fine, but we cannot initiate traffic from remote site to 158.36.44.0 or 158.36.45.0, the logs says that the ACL's do not match. What I think is happening is that even if we configure one entry pr. network in the ACL, one of the firewall "simplifies" the 158.36.44.0/24 and 158.36.45.0/24-entries and instead uses 158.36.44.0/23 (mask 255.255.254.0) This address/mask should include both networks, but I think that the firewalls see this as an mismatch.

Any tips on this?

Federico Coto Fajardo · ‎10-22-2010

Hi,

If you define the crypto identities as /24 mask that's what it should use.

You can check it by doing a ''sh cry ipsec sa'' and check the SAs for the identities (it will show the networks with the masks being used to send traffic through the tunnel).

Unless you actually configure the interesting traffic to be /23, it shouldn't use this mask.

Federico.

jan.nielsen · ‎10-22-2010

Checkpoint has a "send subnet/netmask" flag somewhere in the config of the vpn, look for that, sounds like thats your problem.