Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

ASA Interesting Traffic Question

I am very new to the Cisco ASA and I have a question about the ACLs that are used to define interesting traffic.  From what I've been told that these ACLs must match exactly on both ends of the tunnel in order for the LAN to LAN (IPSec) Tunnel to work.  We have a organization that we work with and who accesses a server within our LAN.  The current L2L tunnel allows them access to our 192.168.5.x network from their 172.16.2.x network.  I justed that discovered that this server redirects them to 192.168.2.x when they try to access a specific function.  I was hoping to just add the 192.168.2.x network to the ACL that defines interesting traffic, but I don't think it will be that easy.  It seems to me that the other end of the L2L tunnel will need to define that network in their ACL and configure the approriate routing.  Can any of  you help me understand this better?

1 REPLY
Super Bronze

ASA Interesting Traffic Question

Hi,

If you have at the moment configured your L2L VPN between (for example) 192.168.5.0/24  and 172.16.2.0/24 networks and they need to also access your network 192.168.2.0/24, you will have to add that network to your ACL matching the VPN traffic.

Basicly you will need the ACL line:

access-list permit ip 192.168.2.0 255.255.255.0 172.16.2.0 255.255.255.0

You'll probably also need NAT0/NAT Exempt statement

access-list permit ip 192.168.2.0 255.255.255.0 172.16.2.0 255.255.255.0

nat () 0 access-list

And ofcourse you will need the same as a mirror image on the other VPN device


- Jouni

2406
Views
0
Helpful
1
Replies
CreatePlease to create content