Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
591
Views
0
Helpful
3
Replies

ACL and Tunnel

CharlieDinh84
Level 1
Level 1

‎04-07-2011 09:04 AM - edited ‎03-06-2019 04:30 PM

I'm working with 3 routers on 3 different sites.  The 3 router are configured and tunneled to each other.  My manager added more code to my router and now i cannot ping the other sites.  When i was looking through the commands, he put an access control list denying our network to the other site network on the nat overload, but he put permit on the tunnel that permited our network to talk to each other.  Wouldn't that conflict?  In his e-mail he wrote to me:

These rules are correct, please take a look at Seattle, Chicago or Dc router, you need to deny this traffic on nat acl and then match the traffic for tunnel on different acl which permits it.

So, if the router tunnel has it permited, we can get traffic to us, but we cant respond back because we are block from nat inside acl to talk to there traffic?  That what im getting and explaining to him, but he keep saying the description above.  If some one can quickly answer, i would appreciate it.

The Tunnel was working till he touched them, but i just need some feedback to confirm this.

Thanks,

Charlie

Labels:
0 Helpful
3 Replies 3

mpyhala
Level 7
Level 7

‎04-07-2011 10:51 AM

Hi Charlie,

Thank you for posting. You didn't mention what model routers you have, although it sound like Enterprise instead of Small Business. For Enterprise routers, please post your question at the following page:

https://supportforums.cisco.com/community/netpro/network-infrastructure/routing

0 Helpful

CharlieDinh84
Level 1
Level 1
In response to mpyhala

‎04-07-2011 10:56 AM

I have a cisco 2900 series for all sites

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to CharlieDinh84

‎04-07-2011 10:29 PM

Charlie

Some additional information about your environment would be helpful. You have told us that there are 3 routers connected by tunnels. But you have not told us what kind of tunnels - are they IPSec tunnels, are they GRE tunnels, are they GRE with IPSec tunnels? For IPSec or GRE with IPSec it usually is correct to have one access list that denies the traffic when used for Address Translation and another access list that permits the traffic when used for crypto processing of interesting traffic through the tunnel.

If you could provide the relevant parts of the config that might also be helpful.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents