Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
323
Views
0
Helpful
5
Replies

Site-to-Site VPN will not route to individual hosts, only entire networks

Go to solution
Colin Higgins
Level 2
Level 2

‎04-18-2016 06:34 AM

I have a site-to-site VPN built between a Cisco 1750 router and an ASA 5555X that is running 9.2(4)5

There is not problem with the transform sets, key exchange, etc. However, I have noticed that the ACLs used to create the encryption domain on the ASA will not function correctly if the network on the 1750 is matched against individual hosts on the ASA.

Example

access-list acme-access extended permit ip 172.25.91.64 255.255.255.224 host 192.168.10.24

on the ASA where 192.168.10.24 is the remote host and 17.25.91.64 /27 is the protected network behind the ASA. If the 192.168.10.24 host tries to ping 172.25.91.70, I see the tunnel begin to form on the ASA and then fail with a "policy failure" message.

If I go the other way, from the 172.25.91.70 host to 192.168.10.24, the tunnel is built and the traffic is allowed.

If I change the ACL to use only network address (in other words, use 192.168.10.0 /24), it works both ways.

What is going on here? If I use an object group instead of individual hosts directly will it work? Not sure why this is failing.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Michael Muenz
Level 5
Level 5
In response to Colin Higgins

‎04-19-2016 12:49 AM

This depends on the vendor implementation. 

When using policy based IPSEC, the networks on each side shall match. The filtering within the tunnel doens't rely on establishing a tunnel an can be a host or subnet.

Michael Please rate all helpful posts

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Michael Muenz
Level 5
Level 5

‎04-18-2016 11:41 AM

It seems that the ACLs on ASA and router doesn't match, please check both ends, not only the ASA.

Michael Please rate all helpful posts
0 Helpful

Go to solution
Colin Higgins
Level 2
Level 2
In response to Michael Muenz

‎04-18-2016 11:54 AM

The ACL on the router is network-to-network

ip access-list extended CORP-ACCESS

 permit ip 192.168.10.0 0.0.0.255 172.25.91.64 0.0.0.31

shouldn't that still work if the ASA ACL allows host 192.168.10.60 to hit 172.25.91.68 ?

0 Helpful

Go to solution
Michael Muenz
Level 5
Level 5
In response to Colin Higgins

‎04-18-2016 11:57 AM

But when acme-acl is used within the crypto proposal it doesn't match.

For filtering you should use a separate ACL.

Michael Please rate all helpful posts
0 Helpful

Go to solution
Colin Higgins
Level 2
Level 2
In response to Michael Muenz

‎04-18-2016 12:14 PM

so it has to match to the letter on both sides, even if both hosts are within the encryption domain?

In other words, if on one side I am allowing access to the entire /27 network, but on the other, it is allowing only a particular host to that network, it will fail? (as in the example above)

0 Helpful

Go to solution
Michael Muenz
Level 5
Level 5
In response to Colin Higgins

‎04-19-2016 12:49 AM

This depends on the vendor implementation. 

When using policy based IPSEC, the networks on each side shall match. The filtering within the tunnel doens't rely on establishing a tunnel an can be a host or subnet.

Michael Please rate all helpful posts
0 Helpful
Customers Also Viewed These Support Documents