Showing results for 
Search instead for 
Did you mean: 

Does default gateway need to be allowed in IP ACL??


Have someting strange happening.  Have a VLAN, we will call this subnet 1 VLAN1.  Have a remote  network that a device on subnet 1 needs to get to.

The device on subnet 1 is a NAT'd VPN box.  On one side is a private network, we will say 192.168.x.x.  So the public side of the NATd VPN box has an IP address on VLAN1 Subnet 1. It tunnels the traffic to the remote network via EIGRP published routes.  Lets call the remote network

So on the port that the NATd VPN box plugs into on VLAN1 Subnet 1 (the entire swith is configured at VLAN1 Subnet1) which has a trunk port to a Layer 3 switch that handles the routing)  I add an extended IP ACL that Allows the static IP address assigned to the NATd VPN box to ping the far side VPN box on the network and allow any packet it sends to go to there also (so host VLAN1 IP address host remote network IP address ANY)

Inherint block on all other traffic.

The issue is the VPN tunnel between the VLAN1 box and the network VPN box comes up for about 20 seconds, then dies.   I remove the ACL and it works fine.  I put it back on, same 20 seconds, then dies.

So, in the ACL I put a permit from host VLAN 1 IP address (the NATd VPN box) to host IP address of VLAN1 default gateway ANY and the tunnel comes up for good, no issues.

The funny thing is, that the original setup was up and working for days, then decided to stop and nothing was changed.  I had to add the default gateway of the VLAN1 IP to the ACL to get it working again and it has been up for a few days.

Does not make sense to me so any insight?    I don't know why as the arp for the remote IP address would return the layer 2 mac of the default gateway, whihc is layer 2 and the acl should not affect this traffic.    Can't see it being a proxy arp issue either. 

Any insight??



Everyone's tags (5)
CreatePlease to create content
Content for Community-Ad