ip access-list on crypto map: behavior is different to the configuration

Answered Question
Sep 5th, 2008
User Badges:

Hello,


I configured a IPSec between a hub-router and some spoke-routers. All things work fine.


My next step is to filter traffic between the sites by ACL's.


One of the ACL's is:


ip access-list extended gre_hub-spoke1

permit gre host 172.31.254.254 host 172.31.254.1

permit ip 10.70.0.0 0.0.0.255 192.168.10.0 0.0.0.255


This ACL matches to the crypto map:


crypto map gre-tunnel 10 ipsec-isakmp

set peer 172.31.254.1

set transform-set myset

match address gre_hub-spoke1


Why is the behavior different than configured?

The "permitted" communication is blocked, other traffic is forwarded.


Thanks and kind regards

Matthias

Correct Answer by singhsaju about 8 years 8 months ago

From the Crypto acl:

permit gre host 172.31.254.254 host 172.31.254.1 ---------------> SAs are built and the traffic is going through

permit ip 10.70.0.0 0.0.0.255 192.168.10.0 0.0.0.255 ---------------------> there are no SA built for it! Check for mirror image acl entry for it on other side in crypto acl.


HTH

Saju

Please rate if it helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
singhsaju Fri, 09/05/2008 - 07:29
User Badges:
  • Silver, 250 points or more

Hello,


Do you see IPSEC sa being built for that traffic? Post output of "show crypto ipsec sa". Do you see encrypts/decrypts ?


HTH

Saju

Please rate if it helps

Correct Answer
singhsaju Fri, 09/05/2008 - 07:52
User Badges:
  • Silver, 250 points or more

From the Crypto acl:

permit gre host 172.31.254.254 host 172.31.254.1 ---------------> SAs are built and the traffic is going through

permit ip 10.70.0.0 0.0.0.255 192.168.10.0 0.0.0.255 ---------------------> there are no SA built for it! Check for mirror image acl entry for it on other side in crypto acl.


HTH

Saju

Please rate if it helps.

Actions

This Discussion