02-12-2008 04:36 AM - edited 03-03-2019 08:40 PM
Hi All,
I'm setting up a number of vpn/ipsec tunnels on a cisco 876.
When I enter the necessary acl's, I get no error, but when I check my running config, the router seems to have altered the acl.
Here's what happens:
Router(config)#access-list 111 remark *** Tunnel naar Takman Ommen ***
Router(config)#access-list 111 permit ip 192.168.26.0 255.255.255.0 192.168.28.0 255.255.255.0
Router(config)#end
Router#sh access-l
Extended IP access list 111
10 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
Running the Version 12.4(15)T1.
Config attached.
Solved! Go to Solution.
02-12-2008 04:45 AM
Hi,
Simply you are not matching any specific criteria here, looking at your config:-
permit ip 192.168.26.0 255.255.255.0 192.168.28.0 255.255.255.0
you are saying (I dont care about 192.168.26 at your ACL), its not a subnet mask equation, but rather its a wildcard bits match.
The correct one as bellow:
access-list 111 permit ip 192.168.26.0 0.0.0.255 192.168.28.0 0.0.0.255
HTH
Mohamed
02-12-2008 05:24 AM
I have seen this behavior and as said above it is due to the use of subnet masks instead of inverse wildcard masks while defining the access-list
These are common errors particularly if you are used to work on PIX/ASA where we do not use inverse masks
HTH
Narayan
02-12-2008 04:45 AM
Hi,
Simply you are not matching any specific criteria here, looking at your config:-
permit ip 192.168.26.0 255.255.255.0 192.168.28.0 255.255.255.0
you are saying (I dont care about 192.168.26 at your ACL), its not a subnet mask equation, but rather its a wildcard bits match.
The correct one as bellow:
access-list 111 permit ip 192.168.26.0 0.0.0.255 192.168.28.0 0.0.0.255
HTH
Mohamed
02-12-2008 05:24 AM
I have seen this behavior and as said above it is due to the use of subnet masks instead of inverse wildcard masks while defining the access-list
These are common errors particularly if you are used to work on PIX/ASA where we do not use inverse masks
HTH
Narayan
02-12-2008 05:27 AM
Briljant, On the money. I spend way to much time on ASA's.
Thank a million for putting me in my place :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide