Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1645
Views
35
Helpful
5
Replies

Do I need to create the ACL allow traffic to another side of VPN.

msompong1
Level 1
Level 1

‎02-20-2019 08:01 PM

I've create the site-to-site VPN between my ASA and customer firewall.

I've done it my VPN wizard and Tunnel is up already. But my problem is when my client in LAN interface try to connect the server on another side of VPN, it cannot connect and show blocking in ASA log.

So I've tried by add the ACL to allow source LAN subnet to destination server then the connection was successful.

My question is although we have complete the site-to-site VPN setup , We still need ACL allow the connection again?

Labels:
5 Replies 5

Deepak Kumar
VIP Alumni
VIP Alumni

‎02-20-2019 09:28 PM

Hi,

Which type of VPN configuration? As you mentioned that Site to site VPN tunnel then you must have a VPN interested ACL and that ACL must be called in Crypto-MAP or Ikev2 Profile. 

 

Regards,

Deepak Kumar 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

msompong1
Level 1
Level 1
In response to Deepak Kumar

‎02-21-2019 12:11 AM

Thank you for your respond.

I'm using the Site-to-Site VPN

Yes I've the interested ACL as below

access-list outside_cryptomap extended permit ip 10.199.20.0 255.255.254.0 object-group DM_INLINE_NETWORK_1

And called in Crypto-MAP

crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df outside
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer xx.xx.xx.xx 

But the client in network 10.199.20.0 can't access to the server in group DM_INLINE_NETWORK_1 and the ASA log show the traffic has been blocked

So I've create the ACL for allow as below

access-list inside_access_in extended permit ip 10.199.20.0 255.255.254.0 object-group DM_INLINE_NETWORK_1

Then very thing work as expected , So I'm not sure this is the right setup?

Karsten Iwen
VIP
VIP

‎02-21-2019 12:00 AM

Although the VPN will allow your needed traffic, the interface ACL where your client is located (i.g. the inside-interface) still needs a permit-entry for that traffic.

msompong1
Level 1
Level 1
In response to Karsten Iwen

‎02-21-2019 12:36 AM

Iwen,

 

My client is direct connected to the inside-interface.

Karsten Iwen
VIP
VIP
In response to msompong1

‎02-21-2019 02:52 AM - edited ‎02-21-2019 02:52 AM

regardless of directly connected or not, if you have an inside ACL you still need a permit-entry for that traffic. Best to simulate the traffic with packet-tracer:

 

packet-tracer input inside tcp IP-OF-CLIENT 1234 IP-OF-SERVER PORT-ON-SERVER

run that two times and show the output of the second run.

Customers Also Viewed These Support Documents