Hello,
In my topology (attached below) I've configured an IPSec tunnel successfully and all hosts can ping each other with no problems.
My goal is: - Host 3 (192.168.3.1/24) can ping Host 2 (172.16.2.1/24)
- Host 2 can ping Host 3
- Host 1 (192.168.4.1/24) can ping Host 3
- Host 3 cannot ping Host 1
- Host 1 can ping Host 2
- Host 2 cannot ping Host 1
I configured the following ACLs on the router R1:
ip access-list extended out-host 3
permit ip 172.16.2.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255 reflect mirror
----------------------------
ip access-list extended out-host 1
evaluate mirror
----------------------------
And this one on the router R2
ip access-list extended out-host 2
permit ip 192.168.3.0 0.0.0.255 172.16.2.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 172.16.2.0 0.0.0.255 reflect mirror
--------------------------------------
Host 3 and 2 can ping each other successfully.
Host 3 cannot reach Host 1 (success)
but Host 1 cannot reach Host 2 and I know that the reflexive ACL is unable to pass through the IPSec tunnel so what should I do to make it work ?
Thank you.