Got a bit of a strange issue here. We have a LAN to LAN up and going if we allow all IP traffic to pass, but as soon as we start adding restrictions it won't work. I wind up with the IP address of the remote device in the logs as trying to connect. I have an ASA on this end and they have PIX on that end. He swears he has nat disabled for the tunnel, we both have NAT-T enabled.
I am adding the restrictions as an ACL in IPSEC rules.
I edited out the addresses that I don't want out there. But the xx.xxx.150.17 address is the address of their PIX, the 192.168.49.0 is the subnet that I am allowing and xxx.xx.176.22 is the address he is trying to connect to.
I one line of the ACL that I have here is:
access-list outside_cryptomap_260 line 2 extended permit tcp host xxx.xx.176.22
192.168.49.0 255.255.255.0 eq telnet (hitcnt=0)
What I am not clear on is why we are seeing the PIX address there instead of the 192.168.49.0 addresses when they try to telnet.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...