Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA - 5520 - ACL

Hello everyone,

I have a quick and an easy one for you guys . I am using  AS 5520  with the following  versionsCisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5).

I already have VPN tunnel established....However  I just to verify this some new configuration that I am about to do..

1> On either side of the VPN our clients are making the following changes...

permit ip host 10.240.96.98 172.30.2.0 0.0.0.255

permit ip host 10.240.96.98 172.30.150.0 0.0.0.255

permit ip host 10.240.96.98 172.30.209.0 0.0.0.255

permit ip host 10.240.96.98 172.30.202.0 0.0.0.255

My question what changes ( Commands ) I have to make on my end ( on ASA ) to allow this chnages to work.

Thanks in Advance

7 REPLIES

Re: ASA - 5520 - ACL

Hi,

If this ACL is the access-lits for VPN traffic, then you should remove any other statements on that ACL and include the list in the crypto map instance for this tunnel.

The exact commands that you need depends on the existing configuration.

Remember that the crypto ACL needs to be a mirror on both sides.

Federico.

New Member

Re: ASA - 5520 - ACL

Thanks for replying.

Yes the ACL is the access-lits for VPN traffic ( site to site to be more precise). How can be I more of a help in order find the exact commands .

Re: ASA - 5520 - ACL

You will need the same ACL but reversed on your side and apply it to the crypto map.

To check the exact syntax, please post the output of:

sh run crypto map (for the specific crypto map)

sh run access-list (for the ACL for interesting traffic for this tunnel)

Federico.

New Member

Re: ASA - 5520 - ACL

Thanks, I figured out the way for the crpto Map .

Can please tell me if there is some thing wrong with the configuration I am trying  achive

So I am telneting into the ASA then goint into the config-t and applying these changes.

access-list outside_cryptomap_20 extended permit ip 172.30.2.0 255.255.255.0 10.240.96.98 255.255.255.0

access-list outside_cryptomap_20 extended permit ip 172.30.209.0 255.255.255.0 10.240.96.98 255.255.255.0

access-list outside_cryptomap_20 extended permit ip 172.30.202.0 255.255.255.0 10.240.96.98 255.255.255.0

Re: ASA - 5520 - ACL

Yes,

But you're missing this one:

access-list outside_cryptomap_20 extended permit ip 172.30.150.0 255.255.255.0 10.240.96.98 255.255.255.0

Also, when you're done....

Check that both ACLs are a mirror from one another.

Check under the correct crypto map, that you have applied the ACL.

Federico.

New Member

Re: ASA - 5520 - ACL

I got this errror message when I was trying to do one of the commands  (
access-list outside_cryptomap_20 extended permit ip 172.30.2.0 255.255.255.0 10.240.96.98 255.255.255.0 )

I am thinking should i change netmask to  ( 10.240.96.98 255.255.255.255 ) ... please advice

ERROR: IP address,mask <10.240.96.98,255.255.255.0> doesn't pair
Usage:
Extended access list:
        Use this to configure policy for IP traffic through the firewall

[no] access-list [line ] [extended] {deny | permit}
                { | object-group { |
                }}
                {host | | interface | any |
                object-group }
                [ [] |
                object-group ]
                {host | | interface | any |
                object-group }
                [ [] |
                object-group ]
                [log [disable] | [] | [default] [interval ]]
[no] access-list [line ] {deny | permit} icmp
                {host | |
                object-group }
                { | object-group }
                [ | object-group ]
                [log [disable] | [] | [default] [interval ]]
[no] access-list webtype {deny|permit}
                url {|any} [log {disable | default | level}

Re: ASA - 5520 - ACL

If .98 is a host (not a network), then you define it with the mask you mentioned (255.255.255.255)

Federico.

439
Views
0
Helpful
7
Replies