ip access-list on crypto map: behavior is different to the configuration

Answered Question
Sep 5th, 2008

Hello,

I configured a IPSec between a hub-router and some spoke-routers. All things work fine.

My next step is to filter traffic between the sites by ACL's.

One of the ACL's is:

ip access-list extended gre_hub-spoke1

permit gre host 172.31.254.254 host 172.31.254.1

permit ip 10.70.0.0 0.0.0.255 192.168.10.0 0.0.0.255

This ACL matches to the crypto map:

crypto map gre-tunnel 10 ipsec-isakmp

set peer 172.31.254.1

set transform-set myset

match address gre_hub-spoke1

Why is the behavior different than configured?

The "permitted" communication is blocked, other traffic is forwarded.

Thanks and kind regards

Matthias

I have this problem too.
0 votes
Correct Answer by singhsaju about 8 years 3 months ago

From the Crypto acl:

permit gre host 172.31.254.254 host 172.31.254.1 ---------------> SAs are built and the traffic is going through

permit ip 10.70.0.0 0.0.0.255 192.168.10.0 0.0.0.255 ---------------------> there are no SA built for it! Check for mirror image acl entry for it on other side in crypto acl.

HTH

Saju

Please rate if it helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
singhsaju Fri, 09/05/2008 - 07:29

Hello,

Do you see IPSEC sa being built for that traffic? Post output of "show crypto ipsec sa". Do you see encrypts/decrypts ?

HTH

Saju

Please rate if it helps

Correct Answer
singhsaju Fri, 09/05/2008 - 07:52

From the Crypto acl:

permit gre host 172.31.254.254 host 172.31.254.1 ---------------> SAs are built and the traffic is going through

permit ip 10.70.0.0 0.0.0.255 192.168.10.0 0.0.0.255 ---------------------> there are no SA built for it! Check for mirror image acl entry for it on other side in crypto acl.

HTH

Saju

Please rate if it helps.

Actions

This Discussion