site to site VPN ACL ?

dear experts,

ACL for my VPN are given below:

on Head Office:
ip access-list extended ACL_VPN_HO_TO_BR
 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
 permit ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255

on Branch Office:
ip access-list extended ACL_VPN_BR_TO_HO
 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.100.0 0.0.0.255 192.168.2.0 0.0.0.255

but the communication is only between 192.168.100.0/24 and 192.168.2.0/24
but not have communication between 192.168.100.0/24 and 192.168.1.0/24

what could be wrong or crypto map allow only single entry ACL?
nainasipraAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
What version are you running? 'sho ver'.
Remember just because the ACL for the cryptomaps are correct does not mean that traffic will flow!

At a guess I would check you have a 'Nat Exemption' for the 192.168.100.0/24 and 192.168.1.0/24 networks.
how that's done differs depending on what version you are running (hence my first question)

you should either have a no nat acl like this (note your ACL name may be different, show nat will tell you....... (version 8.2 and older)
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
OR
(version 8.3 and newer)
object network NETWORK_OBJ_192.168.100_24
 subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source static  NETWORK_OBJ_192.168.100_24  NETWORK_OBJ_192.168.100_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup

Regards,

Pete
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sandeep GuptaConsultantCommented:
it should work..

can you please allow also in the acl

permit gre <<source range>> <<destination range>>

try rebooting ur router as well.
0
Sandeep GuptaConsultantCommented:
if you have loopback0 (management ip)..just allow that also in acl

permit ip <<loopback0 IP>> any
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

nainasipraAuthor Commented:
my GRE acl is :
!
!
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
!
0
Sandeep GuptaConsultantCommented:
where you have applied it?

can you share all the relevant config?
0
nainasipraAuthor Commented:
dear sandeep,

I have not applied GRE ACL any where, but i can see it in configuration.
these are total entries exisit, please check and help me if it has any effects on VPN.
:::::
!
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
!
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
!

and what if I will remove SDM_GRE ACL from configuration.

Thanks,
0
Sandeep GuptaConsultantCommented:
class map you have defined as 'inspect'...basically your ACL is not performing for interesting traffic..I can help you more if you could share your complete config?

I am not able to see what ACL are working for interesting traffic.


Also one or more ACL can be defined as interesting traffic.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.