Solved

site to site VPN ACL ?

Posted on 2014-07-21
7
391 Views
Last Modified: 2014-09-08
dear experts,

ACL for my VPN are given below:

on Head Office:
ip access-list extended ACL_VPN_HO_TO_BR
 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
 permit ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255

on Branch Office:
ip access-list extended ACL_VPN_BR_TO_HO
 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.100.0 0.0.0.255 192.168.2.0 0.0.0.255

but the communication is only between 192.168.100.0/24 and 192.168.2.0/24
but not have communication between 192.168.100.0/24 and 192.168.1.0/24

what could be wrong or crypto map allow only single entry ACL?
0
Comment
Question by:nainasipra
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 40211327
What version are you running? 'sho ver'.
Remember just because the ACL for the cryptomaps are correct does not mean that traffic will flow!

At a guess I would check you have a 'Nat Exemption' for the 192.168.100.0/24 and 192.168.1.0/24 networks.
how that's done differs depending on what version you are running (hence my first question)

you should either have a no nat acl like this (note your ACL name may be different, show nat will tell you....... (version 8.2 and older)
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
OR
(version 8.3 and newer)
object network NETWORK_OBJ_192.168.100_24
 subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source static  NETWORK_OBJ_192.168.100_24  NETWORK_OBJ_192.168.100_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup

Regards,

Pete
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40216390
it should work..

can you please allow also in the acl

permit gre <<source range>> <<destination range>>

try rebooting ur router as well.
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40216392
if you have loopback0 (management ip)..just allow that also in acl

permit ip <<loopback0 IP>> any
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:nainasipra
ID: 40216481
my GRE acl is :
!
!
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
!
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40218621
where you have applied it?

can you share all the relevant config?
0
 

Author Comment

by:nainasipra
ID: 40218990
dear sandeep,

I have not applied GRE ACL any where, but i can see it in configuration.
these are total entries exisit, please check and help me if it has any effects on VPN.
:::::
!
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
!
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
!

and what if I will remove SDM_GRE ACL from configuration.

Thanks,
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40248001
class map you have defined as 'inspect'...basically your ACL is not performing for interesting traffic..I can help you more if you could share your complete config?

I am not able to see what ACL are working for interesting traffic.


Also one or more ACL can be defined as interesting traffic.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco AnyConnect VPN 4 41
Ping issue with M.M.M.M 13 41
Routers to buy for MDT Multitasking 6 75
Cisco L3 Switch - Show DHCP Server's IP Address for every VLAN 3 8
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question