06-16-2010 09:13 AM
Hello everyone,
I have a quick and an easy one for you guys . I am using AS 5520 with the following versionsCisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5).
I already have VPN tunnel established....However I just to verify this some new configuration that I am about to do..
1> On either side of the VPN our clients are making the following changes...
permit ip host 10.240.96.98 172.30.2.0 0.0.0.255
permit ip host 10.240.96.98 172.30.150.0 0.0.0.255
permit ip host 10.240.96.98 172.30.209.0 0.0.0.255
permit ip host 10.240.96.98 172.30.202.0 0.0.0.255
My question what changes ( Commands ) I have to make on my end ( on ASA ) to allow this chnages to work.
Thanks in Advance
06-16-2010 10:52 AM
Hi,
If this ACL is the access-lits for VPN traffic, then you should remove any other statements on that ACL and include the list in the crypto map instance for this tunnel.
The exact commands that you need depends on the existing configuration.
Remember that the crypto ACL needs to be a mirror on both sides.
Federico.
06-16-2010 01:14 PM
Thanks for replying.
Yes the ACL is the access-lits for VPN traffic ( site to site to be more precise). How can be I more of a help in order find the exact commands .
06-17-2010 07:15 AM
You will need the same ACL but reversed on your side and apply it to the crypto map.
To check the exact syntax, please post the output of:
sh run crypto map (for the specific crypto map)
sh run access-list (for the ACL for interesting traffic for this tunnel)
Federico.
06-17-2010 10:04 AM
Thanks, I figured out the way for the crpto Map .
Can please tell me if there is some thing wrong with the configuration I am trying achive
So I am telneting into the ASA then goint into the config-t and applying these changes.
access-list outside_cryptomap_20 extended permit ip 172.30.2.0 255.255.255.0 10.240.96.98 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 172.30.209.0 255.255.255.0 10.240.96.98 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 172.30.202.0 255.255.255.0 10.240.96.98 255.255.255.0
06-17-2010 10:25 AM
Yes,
But you're missing this one:
access-list outside_cryptomap_20 extended permit ip 172.30.150.0 255.255.255.0 10.240.96.98 255.255.255.0
Also, when you're done....
Check that both ACLs are a mirror from one another.
Check under the correct crypto map, that you have applied the ACL.
Federico.
06-17-2010 10:49 AM
I got this errror message when I was trying to do one of the commands (
access-list outside_cryptomap_20 extended permit ip 172.30.2.0 255.255.255.0 10.240.96.98 255.255.255.0 )
I am thinking should i change netmask to ( 10.240.96.98 255.255.255.255 ) ... please advice
ERROR: IP address,mask <10.240.96.98,255.255.255.0> doesn't pair
Usage:
Extended access list:
Use this to configure policy for IP traffic through the firewall
[no] access-list
{
{host
object-group
[
object-group
{host
object-group
[
object-group
[log [disable] | [
[no] access-list
{host
object-group
{
[
[log [disable] | [
[no] access-list
url {
06-17-2010 10:50 AM
If .98 is a host (not a network), then you define it with the mask you mentioned (255.255.255.255)
Federico.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: