04-11-2008 03:01 AM - edited 03-05-2019 10:20 PM
Hi all, i have 2 routers connected via serial link, RA and RB, RA has a pc in its lan with IP 10.1.1.30/24, RB has a pc with IP 10.2.1.30/24, now i am deploying a very SIMPLE site to site vpn with this access-list on both side,
access-list 111 per ip 10.0.0.30 0.255.255.0 10.0.0.0 0.255.255.255, now i think that it should work but it didnt, i want to know why is that ??? when a traffic originates from 10.1.1.30 doesnt it match 10.0.0.30 0.255.255.0 ??, can some1 clear my confusion ?
thanks
04-11-2008 03:16 AM
Hi There
Is the wild card mask you are using correct or is this a typing error.
Are you sure that 0.255.255.0 is a valid wildcard mask? I have never seen a wildcard mask like this.
Can I ask what you wish to achieve with the access list you are applying?
Best Regards,
Michael
04-11-2008 03:33 AM
Hi,
The ACL "access-list 111 permit ip 10.0.0.30 0.255.255.0 10.0.0.0 0.255.255.255" will allow all hosts with 10.x.y.30 to any IPv4 address in 10.0.0.0/8. As such it is somewhat unusual, but correct.
To have maximum control one would rather use
access-list 111 permit ip host 10.1.1.30 host 10.2.1.30
access-list 111 permit ip host 10.2.1.30 host 10.1.1.30
This would only allow your two PCs to exchange traffic.
Regarding your problem: it will be helpful to post your IPSec configuration, as the problem might be somewhere else. Did you check, if the tunnel comes up?
Hope this helps! Please use the rating system.
Regards, Martin
04-11-2008 04:14 AM
Hi Martin
Well that just blows everyting I thought I knew (through CCNA studies) right out of the water.
I always thought that the wild card mask was the inverse of the subnet mask.
i.e.
subnet mask 255.255.255.0 -or- 11111111.11111111.11111111.00000000
Wildcard mask 0.0.0.244 -or- 00000000.00000000.00000000.11111111
Now it appears that you can create wildcard masks anyway you like adn there is no structure to adhere to.
Is there some book that I can read up on this use of wildcard masks.
Best Regards,
Michael
04-11-2008 07:28 AM
Dear Michael, there is a misconception that wildcard are strictly the inverse of subnet mask, you can check this by using simple filtering using simple access-list, now regarding as what i want to do is as follows
I am trying to deploy GET VPN in my environment, i have 100 branches country wide and each branch has a server which traffic needs to be encrypted, now this is common in every server IP, 10.x.x.30, eg. 10.1.2.30, 10.1.3.30, 10.102.78.30, now the access-list cannot be defined on the group members so i want to create an access-list on a key server that just permits the traffic sourced from my server ( 10.x.x.30 ) and destined to any 10.0.0.0 network ( 10.0.0.0 0.255.255.255 ), i hope you guys now get an idea what i am trying to achieve, but before that i tried testing this access-list with a simple site to site vpn but it didnt work, i didnt get it, this statement is correct 10.0.0.30 0.255.255.0 then why its not working ???
Any body ??
04-11-2008 07:45 AM
Michael
It is a common understanding but not really correct that wildcard masks are always the inverse of subnet masks. If you change always to usually then the statement is correct. The wildcard mask is usually the inverse of the subnet mask but it is not always.
A key difference is that subnet masks have a requirement that the binary 1s and 0s be contiguous. So a subnet mask of 255.0.0.255 is invalid. But its inverse 0.255.255.0 is quite valid.
In a lot of access lists we want to permit or deny particular subnets and so the wildcard mask that we use is the inverse of the subnet mask. But sometimes we want the access list to match on things that are not particular subnets (like match on any host equal to 30 in the class A network 10).
HTH
Rick
04-11-2008 07:36 AM
Dear Martin, my isakmp tunnel comes up, i have done this configuration a 100 of times, the only difference today was the access-list and even then also tunnel came up, that is show crypto isakmp sa showed me idle in the connected which mean that tunnel is up, ok i am posting my actual configuration plz check it at your end,
RA connected via serial 2/0 to RB serial 2/0
Crypto isakmp key cisco123 address 11.x.x.2
crypto isakmp policy 10
authentication pre-share
encryption des
group 2
hash md5
crypto ipsec transform-set aset esp-des esp-md5-hmac
access-list 111 per ip 10.0.0.30 0.255.255.0 10.0.0.0 0.255.255.255
crypto map my 10 ipsec-isakmp
match address 111
set peer 11.x.x.2
set transform-set aset
interface se 2/0
ip address 11.x.x.1 255.0.0.0
crypto map my
now you know the other side configuration exact replica
can you kindly check it at your end
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: