Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Understanding on ACL's

I'm in the process of setting up VPN.  The setup is easy but ACL's can be rather difficult to get working correctly even when something is missing.  It seems I can ping and access my server network.  I can access and ping my core switch with no problems.  Anything pass that I cannot reach, ping or access.

I gone as far as creating a Standard ACL to an Extended and neither will work.

What is missing to make this work correctly?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA Understanding on ACL's

Assuming that the network that you are trying to access is connected to the ASA inside interface.

So if you run the command: "sh run nat", you should see a NAT exemption statement as follows:

nat (inside) 0 access-list

On that access-list, you should add an access-list line that says to permit from source: the network behind the core switch that you were trying to access towards the vpn ip pool subnet.

And on your core switch, if ASA is not the default gateway, you would need to add route for the ip pool subnet towards the ASA.

Hope that helps.

6 REPLIES
New Member

Re: ASA Understanding on ACL's

Hi

There are two access lists used in a typical IPsec VPN configuration. One access list is used to exempt traffic that is destined for the VPN tunnel from the NAT process. The other access list defines what traffic to encrypt, If these ACLs are incorrectly configured or missing, traffic might only flow in one direction across the VPN tunnel.

Be sure that you have configured all of the access lists necessary to complete your IPsec VPN configuration and that those access lists define the correct traffic. Are you able to post the ACL's.

Regards

New Member

Re: ASA Understanding on ACL's

Here is what I have listed on ACL's pertaining to what I am allowing.

Standard list:

access-list IS-Split-Tunnel standard permit 192.255.255.0 255.255.255.0
access-list IS-Split-Tunnel standard permit 192.168.57.0 255.255.255.0
access-list IS-Split-Tunnel standard permit 10.0.0.0 255.0.0.0
access-list IS-Split-Tunnel standard permit 192.167.100.0 255.255.255.0

Extended List:

Cisco Employee

Re: ASA Understanding on ACL's

Another access-list that is required is the NAT exemption access-list. You would need to add the new internal subnet towards the ip pool subnet.

Also remember to route traffic towards the ip pool in your internal switch/router towards the ASA firewall.

Hope that helps.

New Member

Re: ASA Understanding on ACL's

halijenn

How about an example?

Cisco Employee

Re: ASA Understanding on ACL's

Assuming that the network that you are trying to access is connected to the ASA inside interface.

So if you run the command: "sh run nat", you should see a NAT exemption statement as follows:

nat (inside) 0 access-list

On that access-list, you should add an access-list line that says to permit from source: the network behind the core switch that you were trying to access towards the vpn ip pool subnet.

And on your core switch, if ASA is not the default gateway, you would need to add route for the ip pool subnet towards the ASA.

Hope that helps.

New Member

Re: ASA Understanding on ACL's

Here is my latest, but still no success in getting the rest of the way.

1110
Views
0
Helpful
6
Replies