Solved

site to site VPN ACL ?

Posted on 2014-07-21
7
380 Views
Last Modified: 2014-09-08
dear experts,

ACL for my VPN are given below:

on Head Office:
ip access-list extended ACL_VPN_HO_TO_BR
 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
 permit ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255

on Branch Office:
ip access-list extended ACL_VPN_BR_TO_HO
 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.100.0 0.0.0.255 192.168.2.0 0.0.0.255

but the communication is only between 192.168.100.0/24 and 192.168.2.0/24
but not have communication between 192.168.100.0/24 and 192.168.1.0/24

what could be wrong or crypto map allow only single entry ACL?
0
Comment
Question by:nainasipra
  • 4
  • 2
7 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 40211327
What version are you running? 'sho ver'.
Remember just because the ACL for the cryptomaps are correct does not mean that traffic will flow!

At a guess I would check you have a 'Nat Exemption' for the 192.168.100.0/24 and 192.168.1.0/24 networks.
how that's done differs depending on what version you are running (hence my first question)

you should either have a no nat acl like this (note your ACL name may be different, show nat will tell you....... (version 8.2 and older)
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
OR
(version 8.3 and newer)
object network NETWORK_OBJ_192.168.100_24
 subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source static  NETWORK_OBJ_192.168.100_24  NETWORK_OBJ_192.168.100_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup

Regards,

Pete
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40216390
it should work..

can you please allow also in the acl

permit gre <<source range>> <<destination range>>

try rebooting ur router as well.
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40216392
if you have loopback0 (management ip)..just allow that also in acl

permit ip <<loopback0 IP>> any
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:nainasipra
ID: 40216481
my GRE acl is :
!
!
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
!
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40218621
where you have applied it?

can you share all the relevant config?
0
 

Author Comment

by:nainasipra
ID: 40218990
dear sandeep,

I have not applied GRE ACL any where, but i can see it in configuration.
these are total entries exisit, please check and help me if it has any effects on VPN.
:::::
!
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
!
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
!

and what if I will remove SDM_GRE ACL from configuration.

Thanks,
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40248001
class map you have defined as 'inspect'...basically your ACL is not performing for interesting traffic..I can help you more if you could share your complete config?

I am not able to see what ACL are working for interesting traffic.


Also one or more ACL can be defined as interesting traffic.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
EIGRP STUB 19 72
eigrp in site-to-site vpn 4 37
Voicemail on Cisco Unity Express unit has quit working 6 27
Setting up L2TP/IPsec in RRAS 5 16
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question