Help Site to Site VPN Config

syedaltaf.shah · ‎03-12-2012

Hi All,

I have requiremtn for site to site VPN, have to define interesting traffic as ip 192.168.100.0 255.255.255.0 --> 172.16.100.0 255.255.255.0

this works fine, but in the same subnet there is one client machine which we do not want to use VPN same tunnel, here is the Access-list i have.

access-list STS-VPN line 1 deny ip host 192.168.100.200 172.16.100.0 255.255.255.0

access-list STS-VPN line 2 deny icmp host 192.168.100.200 172.16.100.0 255.255.255.0

access-list STS-VPN line 3 permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.0

The first two lines should deny the IP host 192.168.100.200 to use this VPN tunnel, but this configuration doesnt work, is there anything else i have to do, and yes the other end is using the reverse of the same access-list.

when i clear VPN "clear isa sa" the client works, it can ping, but after some time it stops working....

acomiskey · ‎03-12-2012

Did you do something similar for your nat exemption access list as well?

syedaltaf.shah · ‎03-13-2012

hi acomiskey,

there is no nat exemption, i tried to do the same but still doesnt work, when the VPN tunnel is up the Denied IPs cannot communicate, if there is no VPN it works,

when VPN tunnel is up and i do the trace, its reaching till other end, i guess the problem is from the other end, IOS router,

Ven Taylor · ‎03-12-2012

Can you post your VPN configuration?

I've seen something similar to this, but it didn't involve the access-list.

The two ASA's had a single configuration line difference.

When they initiated traffic, it brought up the VPN. After a while of no interesting traffic, the VPN went down (like it should).

When we initiated traffic, it wouldn't work because they used pfs (perfect forward secrecy) and we did not.

Therefore, they would not accept any of our traffic and the VPN would not come up until they initiated traffic.

Ven

Ven Taylor

syedaltaf.shah · ‎03-13-2012

hi Ven,

There is no line difference, i verified it many times, as i explained,

when VPN tunnel is up and i do the trace, its reaching till other end, i guess the problem is from the other end, IOS router,

syedaltaf.shah · ‎03-20-2012

Anybody ???

raulgome19 · ‎03-20-2012

Have you tried to filter that specific host with a VPN filter in the group policy? You can use a different ACL where you deny traffic from that host and permit anything else, I think is better to leave map ACL with only permit IP statements and then be as specific as you want in the filter ACL

Sent from Cisco Technical Support iPhone App

syedaltaf.shah · ‎03-20-2012

Raul,

i do not want to deny that specific IP, i want him not to use VPN, because this system we use to troubleshoot the network, and trace etc.

raulgome19 · ‎03-20-2012

Sorry I think I'm not uderstanding exactly what you need.

You have this right?

192.168.100.0/24 --> ASA ~~>VPN<~~ Router<--172.16.100.0/24

And you want 192.168.100.200 not to reach 176.16.100.0/24 through the VPN tunnel right?

Sent from Cisco Technical Support iPhone App

syedaltaf.shah · ‎03-20-2012

Yes exactly...

only this IP, it should go through the network without VPN.

raulgome19 · ‎03-21-2012

Then, sorry to insist but I think a VPN filter is the best option.

Here is a link that might explain it better

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Another option would be to deny that traffic using the acces-group, you can do that on the inside interface of the ASA or even on the remote router LAN interface

Sent from Technical Support iPhone App