Unable to ping VPN peer after modifying ACL

Unanswered Question
Jun 7th, 2012

hi all,

i'm reviewing for my CCNA Security and currently at the VPN topic. initially, i had the router's ACL to permit their respective subnet and connectivity on both routers were ok.

R1(config)#access-list 110 permit ip

R2(config)#access-list 101 permit ip

i wanted to generate some debugs and modified R1's ACL and after that i wasn't able to ping R1 from R2:

R1(config)#access-list 110 permit tcp

R1(config)#access-list 110 permit icmp

R2#ping source

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:

Packet sent with a source address of


Success rate is 0 percent (0/5)

i've tried to re-create the ACL and re-applied the crypto map on both routers but still failed.

please help me sort this out and how to make it work again. see attached config and show/debug output and simple topology diagram for reference.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jennifer Halim Thu, 06/07/2012 - 19:14

Access-list must mirror image between the 2 routers as you originally have.

Further to that, it is not recommended to configure other protocols (tcp/icmp) for crypto ACL. If you need to configure specific access, that can be done via firewall rules, not the crypto ACL.

Please reconfigure the crypto ACL 101 to be as you have originally and it should work again.

johnlloyd_13 Thu, 06/07/2012 - 20:13

hi jennifer,

thanks for your input! i've read again my notes and you're right, a symmetric crypto ACL must be configured for use by IPsec. i've put back the original ACL and it's working again.

nkarthikeyan Fri, 06/08/2012 - 05:26

VPN tunnel ACL should be matching between both the ends. It cannot vary. Thanks


This Discussion

Related Content