Unable to ping VPN peer after modifying ACL

Unanswered Question
Jun 7th, 2012
User Badges:
  • Blue, 1500 points or more

hi all,

i'm reviewing for my CCNA Security and currently at the VPN topic. initially, i had the router's ACL to permit their respective subnet and connectivity on both routers were ok.

R1(config)#access-list 110 permit ip

R2(config)#access-list 101 permit ip

i wanted to generate some debugs and modified R1's ACL and after that i wasn't able to ping R1 from R2:

R1(config)#access-list 110 permit tcp

R1(config)#access-list 110 permit icmp

R2#ping source

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:

Packet sent with a source address of


Success rate is 0 percent (0/5)

i've tried to re-create the ACL and re-applied the crypto map on both routers but still failed.

please help me sort this out and how to make it work again. see attached config and show/debug output and simple topology diagram for reference.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jennifer Halim Thu, 06/07/2012 - 19:14
User Badges:
  • Cisco Employee,

Access-list must mirror image between the 2 routers as you originally have.

Further to that, it is not recommended to configure other protocols (tcp/icmp) for crypto ACL. If you need to configure specific access, that can be done via firewall rules, not the crypto ACL.

Please reconfigure the crypto ACL 101 to be as you have originally and it should work again.

johnlloyd_13 Thu, 06/07/2012 - 20:13
User Badges:
  • Blue, 1500 points or more

hi jennifer,

thanks for your input! i've read again my notes and you're right, a symmetric crypto ACL must be configured for use by IPsec. i've put back the original ACL and it's working again.

Jennifer Halim Thu, 06/07/2012 - 20:52
User Badges:
  • Cisco Employee,

Great, and thanks for your update. All the best with CCNA Security.

nkarthikeyan Fri, 06/08/2012 - 05:26
User Badges:
  • Gold, 750 points or more

VPN tunnel ACL should be matching between both the ends. It cannot vary. Thanks


This Discussion

Related Content