12-03-2012 01:17 PM
Hi,
there is one parameter 'acl' which is unclear for me, it's configured on client site:
crypto ipsec client ezvpn VPN
connect auto
group EASYVPN key cisco
mode client
peer 10.0.0.1
username cisco password cisco
xauth userid mode local
acl 101
Whatever I add to the acl 101 the tunnel is still working. I found one description:
Step 6 | acl {acl-name | acl-number} Example: Device (config-crypto-ezvpn)# acl acl-list1 | Specifies multiple subnets in a VPN tunnel. |
'Specifies multiple subnets in a VPN tunnel.' - what does it mean, source ?
I tried use this parameter and I added access list:
access-list 123 permit ip 10.10.10.0 0.0.0.255 host 20.0.0.20
access-list 123 permit ip 50.50.50.0 0.0.0.255 host 20.0.0.20
where 10.10.10.0 and 50.50.50.0 are source and 20.0.0.20 is destination.
When I pinged with source 10.10.10.3 (physical int) to 20.0.0.20 - numbers of encr&decr packets grows.
but when I pinged with source 50.50.50.50 (loop int) to 20.0.0.20 - I see it wasn't push into tunnel.
Could someone explain how the parameter work and what for is it ?
Thank you
Hubert
Solved! Go to Solution.
12-04-2012 01:07 AM
Hubert,
Ref:
in client mode multiple subnets are not supported, nor do they make sense.
You are specifying what internal subnets to advertise to server as the ones which are configured behind this device.
In client mode the server sees only the IP address assigned.
M.
12-04-2012 01:07 AM
Hubert,
Ref:
in client mode multiple subnets are not supported, nor do they make sense.
You are specifying what internal subnets to advertise to server as the ones which are configured behind this device.
In client mode the server sees only the IP address assigned.
M.
12-04-2012 02:32 AM
Hi Marcin,
I changed client mode to 'network-extension' and without any acl - it works.
20.0.0.0/24[LAN]---[VPN SERVER]--------[INTERNET]--------[VPN CLIENT]---[LAN] 10.10.10.0/24
traffics between lan networks is encrypted.
When I added new subnet behind client side:
20.0.0.0/24[LAN]---[VPN SERVER]-----------[INTERNET]-----------[VPN CLIENT]---[LAN] 10.10.10.0/24, 50.50.50.0/24
and 'acl parameter' to client configuration:
crypto ipsec client ezvpn VPN
acl 23
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 permit 50.50.50.0 0.0.0.255
traffic between 10.10.10.0/24 and 20.0.0.0/24 is secured but between 50.50.50.0/24 and 20.0.0.0/24 not.
Any idea why ?
Hubert
12-12-2012 04:33 AM
Hi,
the problem is resolved now, client in 'network-ext' mode with 'acl' parameter works with external network behind the client (50.50.50.0/24):
crypto ipsec client ezvpn VPN
connect auto
group EASYVPN key cisco
mode network-ext
peer 10.0.0.1
username cisco password cisco
xauth userid mode local
acl 101
access-list 101 permit ip 10.20.20.0 0.0.0.255 20.0.0.0 0.0.0.255
access-list 101 permit ip 50.50.50.0 0.0.0.255 20.0.0.0 0.0.0.255
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide