Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

L2L Connection issues

Got a bit of a strange issue here. We have a LAN to LAN up and going if we allow all IP traffic to pass, but as soon as we start adding restrictions it won't work. I wind up with the IP address of the remote device in the logs as trying to connect. I have an ASA on this end and they have PIX on that end. He swears he has nat disabled for the tunnel, we both have NAT-T enabled.

Anyone got any ideas?

4 REPLIES
Green

Re: L2L Connection issues

You'll have to be a bit more specific. Where are you placing these restrictions? Are you using sysopt connection permit-ipsec? Example of the logs you are seeing etc.

New Member

Re: L2L Connection issues

I am adding the restrictions as an ACL in IPSEC rules.

I edited out the addresses that I don't want out there. But the xx.xxx.150.17 address is the address of their PIX, the 192.168.49.0 is the subnet that I am allowing and xxx.xx.176.22 is the address he is trying to connect to.

I one line of the ACL that I have here is:

access-list outside_cryptomap_260 line 2 extended permit tcp host xxx.xx.176.22

192.168.49.0 255.255.255.0 eq telnet (hitcnt=0)

What I am not clear on is why we are seeing the PIX address there instead of the 192.168.49.0 addresses when they try to telnet.

Green

Re: L2L Connection issues

This is not the correct way to filter the traffic in the tunnel.

Leave your cryptomap acls as...

access-list outside_cryptomap_260 extended permit ip host xxx.xx.176.22 192.168.49.0 255.255.255.0

and on the other end...

access-list outside_cryptomap_260 extended permit ip 192.168.49.0 255.255.255.0 host xxx.xx.176.22

To filter the traffic you can either remove "sysopt connection permit-ipsec/vpn" and use your interface acl's to filter the traffic.

Another option in the ASA is to use a vpn-filter. This link is for remote access vpn but it works for l2l as well.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

New Member

Re: L2L Connection issues

Thanks...I was starting to come to the conclusion that was the wrong place to set the restrictions, but I didn't know where to look.

118
Views
0
Helpful
4
Replies