Hi everyone, please i have problems with same l2l vpn with a ASA ver. 7.2 and same checkpoint and i have a deny line y the crypto acl. Is that posible or it coud be same problem related with this?? I don't have maches in this lines.
This is the crypto acl.
access-list xxx extended deny ip 184.108.40.206 255.255.0.0 host VMCPRD
access-list xxx extended deny ip 172.16.1.0 255.255.255.0 host VMCPRD
access-list xxx extended deny ip 10.167.0.0 255.255.240.0 host VMCPRD
access-list xxx extended permit ip 10.167.0.0 255.255.240.0 220.127.116.11 255.255.0.0
access-list xxx extended permit ip 10.167.0.0 255.255.240.0 10.162.0.0 255.255.0.0
access-list xxx extended permit ip 10.167.0.0 255.255.240.0 18.104.22.168 255.255.255.0
access-list xxx extended permit ip 10.167.0.0 255.255.240.0 172.22.19.0 255.255.255.0
access-list xxx extended permit ip 22.214.171.124 255.255.0.0 126.96.36.199 255.255.0.0
access-list xxx extended permit ip 188.8.131.52 255.255.0.0 10.162.0.0 255.255.0.0
Are those IP ranges able to get to VMCPRD hosts? Is that what is happening? I'm not clear on what you mean. But let me give this a shot...
Since this is a crypto match-address ACL, I would remove the deny statements and only allow traffic between the local subnets and remote subnets. Then I would add a deny ACL statement in the ethernet interface. Hope this helps.
Have you defined the crypto acl at the other end to not encrypt 10.162.7.19 to the other IP ranges? Also, I try replacing the name "VMCPRD" on the ACL and replace it with the IP address instead. Since I have not seen a deny statement used on a crypto acl, I hope someone else can assist.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...