04-18-2016 06:34 AM
I have a site-to-site VPN built between a Cisco 1750 router and an ASA 5555X that is running 9.2(4)5
There is not problem with the transform sets, key exchange, etc. However, I have noticed that the ACLs used to create the encryption domain on the ASA will not function correctly if the network on the 1750 is matched against individual hosts on the ASA.
Example
access-list acme-access extended permit ip 172.25.91.64 255.255.255.224 host 192.168.10.24
on the ASA where 192.168.10.24 is the remote host and 17.25.91.64 /27 is the protected network behind the ASA. If the 192.168.10.24 host tries to ping 172.25.91.70, I see the tunnel begin to form on the ASA and then fail with a "policy failure" message.
If I go the other way, from the 172.25.91.70 host to 192.168.10.24, the tunnel is built and the traffic is allowed.
If I change the ACL to use only network address (in other words, use 192.168.10.0 /24), it works both ways.
What is going on here? If I use an object group instead of individual hosts directly will it work? Not sure why this is failing.
Solved! Go to Solution.
04-19-2016 12:49 AM
This depends on the vendor implementation.
When using policy based IPSEC, the networks on each side shall match. The filtering within the tunnel doens't rely on establishing a tunnel an can be a host or subnet.
04-18-2016 11:41 AM
It seems that the ACLs on ASA and router doesn't match, please check both ends, not only the ASA.
04-18-2016 11:54 AM
The ACL on the router is network-to-network
ip access-list extended CORP-ACCESS
permit ip 192.168.10.0 0.0.0.255 172.25.91.64 0.0.0.31
shouldn't that still work if the ASA ACL allows host 192.168.10.60 to hit 172.25.91.68 ?
04-18-2016 11:57 AM
But when acme-acl is used within the crypto proposal it doesn't match.
For filtering you should use a separate ACL.
04-18-2016 12:14 PM
so it has to match to the letter on both sides, even if both hosts are within the encryption domain?
In other words, if on one side I am allowing access to the entire /27 network, but on the other, it is allowing only a particular host to that network, it will fail? (as in the example above)
04-19-2016 12:49 AM
This depends on the vendor implementation.
When using policy based IPSEC, the networks on each side shall match. The filtering within the tunnel doens't rely on establishing a tunnel an can be a host or subnet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide