AccessList problem ( ver. 7.0(2) )

dapCZ · Oct 23, 2005

hi all,

i have problem with access servers on vpn interface to servers on inside interface.

Inside servers :

object-group network xxxxx_Praha_servery
network-object 172.17.1.0 255.255.255.0

VPN servers :

object-group network vpn
network-object 172.17.162.0 255.255.255.0
network-object 172.17.163.0 255.255.255.0
network-object 172.17.164.0 255.255.255.0
network-object 172.17.165.0 255.255.255.0
network-object 172.17.166.0 255.255.255.0
network-object 172.17.167.0 255.255.255.0
network-object 172.17.168.0 255.255.255.0
network-object 172.17.169.0 255.255.255.0
network-object 172.17.170.0 255.255.255.0
network-object 172.17.171.0 255.255.255.0
network-object 172.17.172.0 255.255.255.0
network-object 172.17.173.0 255.255.255.0

Static nat inside site to vpn :

static (inside,vpn) 172.17.1.0 172.17.1.0 netmask 255.255.255.0

And AccessList on Interface VPN :

access-list vpn_acl extended permit tcp object-group vpn any eq ftp
access-list vpn_acl extended permit tcp object-group vpn any eq pop3
access-list vpn_acl extended permit tcp object-group vpn any eq www
access-list vpn_acl extended permit tcp object-group vpn any eq https
access-list vpn_acl extended permit tcp object-group vpn any eq aol
access-list vpn_acl extended permit tcp object-group vpn host 172.17.32.167 eq smtp
access-list vpn_acl extended permit tcp object-group vpn any eq 993
access-list vpn_acl extended permit tcp object-group vpn any eq 995
access-list vpn_acl extended permit ip object-group vpn object-group xxxxx_Praha_servery
access-list vpn_acl extended permit tcp object-group blablabla any eq ftp
access-list vpn_acl extended permit tcp object-group blablabla any eq pop3
access-list vpn_acl extended permit tcp object-group blablabla any eq www
access-list vpn_acl extended permit tcp object-group blablabla any eq https
access-list vpn_acl extended permit tcp object-group blablablaany eq aol
access-list vpn_acl extended permit tcp object-group blablabla host 172.17.32.167 eq smtp
access-list vpn_acl extended permit tcp object-group blablabla any eq 993
access-list vpn_acl extended permit tcp object-group blablabla any eq 995
access-list vpn_acl extended permit ip object-group blablabla object-group xxxxx_Praha_servery
access-list vpn_acl extended permit icmp any any

I can ping, but other connection is refused. I need full access from object-group network vpn to object-group network xxxxx_Praha_servery.

thanx

dap

NetworkGhost · Oct 23, 2005

What about the static from vpn to inside? You have inside to VPN but not VPN to inside.

dapCZ · Oct 23, 2005

No. Traffic from inside to vpn is already NATed. Problem leaves on settings of IPsec security on W2003 servers. Thanks for response.

regards

dapCZ

NetworkGhost · Oct 23, 2005

Maybe showing more config would help.

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

AccessList problem ( ver. 7.0(2) )

dapCZ

IS-IT--Management

NetworkGhost

IS-IT--Management

dapCZ

IS-IT--Management

NetworkGhost

IS-IT--Management

Similar threads

Part and Inventory Search

Sponsor