Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1386
Views
0
Helpful
6
Replies

Crypto ACL

a.ortmann
Level 1
Level 1

‎02-15-2013 05:22 AM

Hi, all

we have a L2L-VPN-Tunnel beetween our Headquarter (ASA5520 with Network 10.100.1.0) and a branch office (Cisco1841 with network 10.100.10.0 ). This works fine for years, but now we wish to change the configuration so that ALL traffic from the branch office goes over the vpn-tunnel. My question: How I have to change the crypto acl to reach this. Below the relevant parts of the branch router:

---------------------------------------------------------------------------------------------

crypto map Branch-to-HQ 1 ipsec-isakmp

....

match address 100

...

interface FastEthernet0/0
description branch network

ip address 10.100.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

..

interface Serial0/0/0:0

ip address 212.xxx.xxx.50 255.255.255.252

no ip unreachables

ip nat outside

ip virtual-reassembly

crypto map Branch-to-HQ

...

ip route 0.0.0.0 0.0.0.0 212.xxx.xxx.49

...

ip nat inside source list 101 interface Serial0/0/0:0 overload

...

access-list 100 permit ip 10.100.10.0 0.0.0.255 10.100.1.0 0.0.0.255

access-list 101 deny   ip 10.100.10.0 0.0.0.255 10.100.1.0 0.0.0.255

access-list 101 permit ip 10.100.10.0 0.0.0.255 any

--------------------------------------------------------------------------------------------------

Thanks for your help !

Anke

Labels:
0 Helpful
6 Replies 6

Henrik Grankvist
Level 4
Level 4

‎02-15-2013 09:04 AM

Hey, well you just need to change what traffic that is to get encrypted, which is what the crypto ACL does...

no access-list 100

access-list 100 permit any 10.100.1.0 0.0.0.255

= Any source address that is destined for 10.100.1.0/24 will now get encrypted.

0 Helpful

a.ortmann
Level 1
Level 1
In response to Henrik Grankvist

‎02-16-2013 11:09 AM

Hallo, Henrik

thanks for your answer. In my last cisco course (ASA Course) I have learned to avoid the use of "any" statement in crypto acl's. Is this not right related to the branch office router configuration ?

Greetings Anke

0 Helpful

XIE YAO
Level 1
Level 1

‎02-16-2013 12:57 AM

IF your hub and spoke network range is same as you stated, then current your are L2L traffic is already in the tunnel.

IF you mean "ALL traffic from the branch office goes over the vpn-tunnel" includes the internet(split tunnel is not allowed for some reason), then you need to remove nat and perhaps using internet proxy in the hub.

0 Helpful

a.ortmann
Level 1
Level 1
In response to XIE YAO

‎02-16-2013 11:18 AM

Hallo, YAO

thanks for your answer. YES, with "ALL traffic from the branch office goes over the vpn-tunnel" I mean the Internet traffic. You recommend to remove nat. Do you mean to remove the "ip nat inside source list 101 interface Serial0/0/0:0 overload" statement in the branch office router configuration ?

Greetings Anke

0 Helpful

shanilkumar2003
Level 1
Level 1
In response to a.ortmann

‎02-16-2013 09:28 PM

Can you try crypto acl ,

access-list 100 permit ip any any

Thanks

Shanil

0 Helpful

jawad-mukhtar
Level 4
Level 4
In response to shanilkumar2003

‎02-17-2013 07:22 AM

If u have multiple public Interface For Internet

Use Static Route To Route Traffice Towards Specific Interface

Like

ip route 10.100.1.0 255.255.255.0 (Peer IP of Branch Office)

Jawad
0 Helpful
Customers Also Viewed These Support Documents