Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

site to site VPN ACL ?

Posted on 2014-07-21
7
Medium Priority
?
432 Views
Last Modified: 2014-09-08
dear experts,

ACL for my VPN are given below:

on Head Office:
ip access-list extended ACL_VPN_HO_TO_BR
 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
 permit ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255

on Branch Office:
ip access-list extended ACL_VPN_BR_TO_HO
 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.100.0 0.0.0.255 192.168.2.0 0.0.0.255

but the communication is only between 192.168.100.0/24 and 192.168.2.0/24
but not have communication between 192.168.100.0/24 and 192.168.1.0/24

what could be wrong or crypto map allow only single entry ACL?
0
Comment
Question by:nainasipra
  • 4
  • 2
7 Comments
 
LVL 58

Accepted Solution

by:
Pete Long earned 2000 total points
ID: 40211327
What version are you running? 'sho ver'.
Remember just because the ACL for the cryptomaps are correct does not mean that traffic will flow!

At a guess I would check you have a 'Nat Exemption' for the 192.168.100.0/24 and 192.168.1.0/24 networks.
how that's done differs depending on what version you are running (hence my first question)

you should either have a no nat acl like this (note your ACL name may be different, show nat will tell you....... (version 8.2 and older)
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
OR
(version 8.3 and newer)
object network NETWORK_OBJ_192.168.100_24
 subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source static  NETWORK_OBJ_192.168.100_24  NETWORK_OBJ_192.168.100_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup

Regards,

Pete
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40216390
it should work..

can you please allow also in the acl

permit gre <<source range>> <<destination range>>

try rebooting ur router as well.
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40216392
if you have loopback0 (management ip)..just allow that also in acl

permit ip <<loopback0 IP>> any
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Author Comment

by:nainasipra
ID: 40216481
my GRE acl is :
!
!
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
!
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40218621
where you have applied it?

can you share all the relevant config?
0
 

Author Comment

by:nainasipra
ID: 40218990
dear sandeep,

I have not applied GRE ACL any where, but i can see it in configuration.
these are total entries exisit, please check and help me if it has any effects on VPN.
:::::
!
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
!
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
!

and what if I will remove SDM_GRE ACL from configuration.

Thanks,
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40248001
class map you have defined as 'inspect'...basically your ACL is not performing for interesting traffic..I can help you more if you could share your complete config?

I am not able to see what ACL are working for interesting traffic.


Also one or more ACL can be defined as interesting traffic.
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question