Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help Site to Site VPN Config

Hi All,

I have requiremtn for site to site VPN,  have to define interesting traffic as ip 192.168.100.0 255.255.255.0 --> 172.16.100.0 255.255.255.0

this works fine, but in the same subnet there is one client machine which we do not want to use VPN same tunnel, here is the Access-list i have.

access-list STS-VPN line 1 deny ip host 192.168.100.200 172.16.100.0 255.255.255.0

access-list STS-VPN line 2 deny icmp host 192.168.100.200 172.16.100.0 255.255.255.0

access-list STS-VPN line 3 permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.0

The first two lines should deny the IP host 192.168.100.200 to use this VPN tunnel, but this configuration doesnt work, is there anything else i have to do, and yes the other end is using the reverse of the same access-list.

when i clear VPN "clear isa sa" the client works, it can ping, but after some time it stops working....

10 REPLIES
Green

Help Site to Site VPN Config

Did you do something similar for your nat exemption access list as well?

New Member

Help Site to Site VPN Config

hi acomiskey,

there is no nat exemption, i tried to do the same but still doesnt work, when the VPN tunnel is up the Denied IPs cannot communicate, if there is no VPN it works,

when VPN tunnel is up and i do the trace, its reaching till other end, i guess the problem is from the other end, IOS router,

Bronze

Help Site to Site VPN Config

Can you post your VPN configuration?

I've seen something similar to this, but it didn't involve the access-list.

The two ASA's had a single configuration line difference.

When they initiated traffic, it brought up the VPN.  After a while of no interesting traffic, the VPN went down (like it should).

When we initiated traffic, it wouldn't work because they used pfs (perfect forward secrecy) and we did not.

Therefore, they would not accept any of our traffic and the VPN would not come up until they initiated traffic.

Ven

Ven Taylor
New Member

Help Site to Site VPN Config

hi Ven,

There is no line difference, i verified it many times, as i explained,

when VPN tunnel is up and i do the trace, its reaching till other end, i guess the problem is from the other end, IOS router,

New Member

Help Site to Site VPN Config

Anybody ???

New Member

Re: Help Site to Site VPN Config

Have you tried to filter that specific host with a VPN filter in the group policy? You can use a different ACL where you deny traffic from that host and permit anything else, I think is better to leave map ACL with only permit IP statements and then be as specific as you want in the filter ACL

Sent from Cisco Technical Support iPhone App

New Member

Help Site to Site VPN Config

Raul,

i do not want to deny that specific IP, i want him not to use VPN, because this system we use to troubleshoot the network, and trace etc.

New Member

Re: Help Site to Site VPN Config

Sorry I think I'm not uderstanding exactly what you need.

You have this right?

192.168.100.0/24 --> ASA >VPN< Router<--172.16.100.0/24

And you want 192.168.100.200 not to reach 176.16.100.0/24 through the VPN tunnel right?

Sent from Cisco Technical Support iPhone App

New Member

Help Site to Site VPN Config

Yes exactly...

only this IP, it should go through the network without VPN.

New Member

Re: Help Site to Site VPN Config

Then, sorry to insist but I think a VPN filter is the best option.

Here is a link that might explain it better

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Another option would be to deny that traffic using the acces-group, you can do that on the inside interface of the ASA or even on the remote router LAN interface

Sent from Technical Support iPhone App

477
Views
0
Helpful
10
Replies
CreatePlease login to create content