Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Crypto acl with a deny line for L2L vpn

Hi everyone, please i have problems with same l2l vpn with a ASA ver. 7.2 and same checkpoint and i have a deny line y the crypto acl. Is that posible or it coud be same problem related with this?? I don't have maches in this lines.

This is the crypto acl.

access-list xxx extended deny ip 172.0.0.0 255.255.0.0 host VMCPRD

access-list xxx extended deny ip 172.16.1.0 255.255.255.0 host VMCPRD

access-list xxx extended deny ip 10.167.0.0 255.255.240.0 host VMCPRD

access-list xxx extended permit ip 10.167.0.0 255.255.240.0 132.145.0.0 255.255.0.0

access-list xxx extended permit ip 10.167.0.0 255.255.240.0 10.162.0.0 255.255.0.0

access-list xxx extended permit ip 10.167.0.0 255.255.240.0 200.123.188.0 255.255.255.0

access-list xxx extended permit ip 10.167.0.0 255.255.240.0 172.22.19.0 255.255.255.0

access-list xxx extended permit ip 172.0.0.0 255.255.0.0 132.145.0.0 255.255.0.0

access-list xxx extended permit ip 172.0.0.0 255.255.0.0 10.162.0.0 255.255.0.0

Thanks.

Regardss!!!

4 REPLIES
New Member

Re: Crypto acl with a deny line for L2L vpn

Are those IP ranges able to get to VMCPRD hosts? Is that what is happening? I'm not clear on what you mean. But let me give this a shot...

Since this is a crypto match-address ACL, I would remove the deny statements and only allow traffic between the local subnets and remote subnets. Then I would add a deny ACL statement in the ethernet interface. Hope this helps.

New Member

Re: Crypto acl with a deny line for L2L vpn

Hi!!!

Yes, may be I need to be more clear. I need all the trafic to be encrypted except the deny lines but I need that all trafic pass throw the firewall. That's the idea. Thanks a lot.

Regards.

New Member

Re: Crypto acl with a deny line for L2L vpn

The VMCPRD has this ip address 10.162.7.19. Igf you see it is in the interestrin traffic that i declare in the crypto acl.

New Member

Re: Crypto acl with a deny line for L2L vpn

Have you defined the crypto acl at the other end to not encrypt 10.162.7.19 to the other IP ranges? Also, I try replacing the name "VMCPRD" on the ACL and replace it with the IP address instead. Since I have not seen a deny statement used on a crypto acl, I hope someone else can assist.

Good luck.

173
Views
0
Helpful
4
Replies