Interperting sh crypto ipsec sa command in ASA5505

Unanswered Question
May 13th, 2010
User Badges:

Trying to verify that there is no restricted traffic traveling through the vpn tunnel. That the vpn tunnel acts like a trusted network and all ports and protocols are passed and not blocked.

After entering "sh crypto ipsec sa" command, there are a couple of lines that I wanted to confirm with someone here who might know.


local ident (addr/mask/prot/port): (
      remote ident (addr/mask/prot/port): (


local ident (addr/mask/prot/port): (
      remote ident (addr/mask/prot/port): (

Do these lines from the sh crypto ipec sa show that the traffic going through the tunnel is unrestricted? In particular the zero's for the protocol and ports that are in bold? Does that represent ANY protocol, ANY port?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Thu, 05/13/2010 - 07:05
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

It represents any IP packet (because IPSEC is transported in IP) which includes TCP/UDP/ICMP and any port number. Easiest way to verify is simply to look at your crypto acl.


razorbakill Thu, 05/13/2010 - 15:40
User Badges:

I have checked my acl's repeatedly. The reason I'm asking this question is that I have one site to site vpn tunnel up and running. The original networks that are associated with this tunnel are (class c) to (class c). This works just fine, all traffic is passed no matter the protocol or port. But I added another set of networks to the tunnel (same site to site tunnel), (class c) to (class c). When I check connectivity between these networks ( to I can ping accross the tunnel back and forth. But I can't get passed pinging between the added networks. It seems I can't have any tcp sessions. I tried RDP from one pc to another, telnetting to cisco devices, etc. No go. The only thing I can do between these 2nd pair of networks is ping. Do you know if this is even possible between two asa5505 with the basic license running version 7.24? Anything you might know to help me resolve this issue would be most appreciated. My running config's are attached along with the sh crypto ipsec sa configs.



This Discussion