Jon,

Thx for the quick reply.

Changed as you proposed but I can't find any sysopt connection entry.

Kind regards,

Eleander

Eleander

What is the output of running the command

sh running-config sysopt

if you want to turn off bypassing the acl then you will need to enter

asa(config)# no sysopt connection permit-vpn

but that is only if you want the traffic to be subject to your acl on the outside interface.

Jon

Jon,

No response, just a blank line.

Included the complete config in attachement!

Thx for the quick replies!

Okay no problem. I just checked the command references and this is on by default -

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s8_72.html#wp1198155

So if you want to bypass the acl on the outside interface you don't need to do anything. If you want the incoming VPN traffic to be checked against the acl on the outside interface then you need to enter

asa(config)# no sysopt connection permit-vpn

Still bit of a mystery as to why it doesn't show the sysopt settings -

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s6_72.html#wp1287358

Jon

Jon,

I've changed the config as you proposed and mailed the customer to try the connection again?

Did you by any chance had a look at the added config in my previous post? To see I didn't made any mistakes in the ACL's?

Kind regards,

Eleander

Eleander

You will need to add the following

access-list outside_access_in extended permit tcp any host 192.168.222.1 eq ftp-data

FTP is a funny one. Do you know if it is passive ftp or not ?

If you have problems getting the FTP to work then you may need to adjust your acl. But first things first, need to see if the VPN tunnel comes up :-)

Jon

Jon

Jon,

I addedd the information you requested and also the FTP into the access-list. (see attached word doc)

But now I'm having these problems.

"Rejecting IPSec Tunnel: no matching crypto map entry for remote proxy 10.10.10.87/255.255.255.255/0/0 local proxy 192.168.222.1/255.255.255.255/0/0 on interface outside"

Looking into them right now.

What ACL am I missing?

Really appreciate you spending this much time to find a solution!

Kind regards,

Eleander

And here's teh attachement! :)

Eleander

Is this coming up on the ASA we have been modifying the config on ?

Do you happen to have the config for both devices ie. the one we have been dealing with and the other one ?

Just as a quick test could you add this line to your crypto-map access-list and retry

access-list outside_2_cryptomap extended permit ip host 192.168.222.1 host 10.10.10.87

It really should not make a difference but just in case.

Jon

Jon,

Added the ACL but nothing changes.

In the attachement you can find the latest config.

We only manage this one firewall, which is a pitty and moreso because the firewall on the other site isn't a Cisco. :(

Before making your proposed change for the sysopt the L2L was working. SO it must be in the access lists!

Thx a lot.

Kind regards,

Eleander

Eleander

Can you remove the sysopt line and then let me know if it is working ie.

pix(config)# sysopt connection permit-vpn

Jon

Jon,

I also dug a little further and the site-to-site seems to be comming active.

There was a problem within the traffix selection for the L2L.

Thx a lot for the support on the access-list!

Just having this problem right now:

6 Nov 19 2008 16:58:29 302013 10.10.10.87 10.0.74.5 Built inbound TCP connection 5460 for outside:10.10.10.87/37590 (10.10.10.87/37590) to inside:10.0.74.5/21 (192.168.222.1/21)

6 Nov 19 2008 16:58:59 302014 10.10.10.87 10.0.74.5 Teardown TCP connection 5460 for outside:10.10.10.87/37590 to inside:10.0.74.5/21 duration 0:00:30 bytes 0 SYN Timeout

So connection goes through but time's out!

think changing/adding the ftp instead of the ftp-data will resolve my issue!

Thx a lot!!!

Eleander

Do you think you have it working now or at least know what to do ?

I'm dying to get out on my mountain bike but happy to hang around if you need further help.

Jon