?
Solved

site to site VPN ACL ?

Posted on 2014-07-21
7
Medium Priority
?
410 Views
Last Modified: 2014-09-08
dear experts,

ACL for my VPN are given below:

on Head Office:
ip access-list extended ACL_VPN_HO_TO_BR
 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
 permit ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255

on Branch Office:
ip access-list extended ACL_VPN_BR_TO_HO
 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.100.0 0.0.0.255 192.168.2.0 0.0.0.255

but the communication is only between 192.168.100.0/24 and 192.168.2.0/24
but not have communication between 192.168.100.0/24 and 192.168.1.0/24

what could be wrong or crypto map allow only single entry ACL?
0
Comment
Question by:nainasipra
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 2000 total points
ID: 40211327
What version are you running? 'sho ver'.
Remember just because the ACL for the cryptomaps are correct does not mean that traffic will flow!

At a guess I would check you have a 'Nat Exemption' for the 192.168.100.0/24 and 192.168.1.0/24 networks.
how that's done differs depending on what version you are running (hence my first question)

you should either have a no nat acl like this (note your ACL name may be different, show nat will tell you....... (version 8.2 and older)
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
OR
(version 8.3 and newer)
object network NETWORK_OBJ_192.168.100_24
 subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source static  NETWORK_OBJ_192.168.100_24  NETWORK_OBJ_192.168.100_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup

Regards,

Pete
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40216390
it should work..

can you please allow also in the acl

permit gre <<source range>> <<destination range>>

try rebooting ur router as well.
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40216392
if you have loopback0 (management ip)..just allow that also in acl

permit ip <<loopback0 IP>> any
0
WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

 

Author Comment

by:nainasipra
ID: 40216481
my GRE acl is :
!
!
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
!
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40218621
where you have applied it?

can you share all the relevant config?
0
 

Author Comment

by:nainasipra
ID: 40218990
dear sandeep,

I have not applied GRE ACL any where, but i can see it in configuration.
these are total entries exisit, please check and help me if it has any effects on VPN.
:::::
!
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
!
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
!

and what if I will remove SDM_GRE ACL from configuration.

Thanks,
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40248001
class map you have defined as 'inspect'...basically your ACL is not performing for interesting traffic..I can help you more if you could share your complete config?

I am not able to see what ACL are working for interesting traffic.


Also one or more ACL can be defined as interesting traffic.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question