Unable to ping VPN peer after modifying ACL

Unanswered Question
Jun 7th, 2012

hi all,

i'm reviewing for my CCNA Security and currently at the VPN topic. initially, i had the router's ACL to permit their respective subnet and connectivity on both routers were ok.

R1(config)#access-list 110 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255

R2(config)#access-list 101 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

i wanted to generate some debugs and modified R1's ACL and after that i wasn't able to ping R1 from R2:

R1(config)#access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255

R1(config)#access-list 110 permit icmp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255

R2#ping 10.0.1.3 source 10.0.2.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.1.3, timeout is 2 seconds:

Packet sent with a source address of 10.0.2.3

.....

Success rate is 0 percent (0/5)

i've tried to re-create the ACL and re-applied the crypto map on both routers but still failed.

please help me sort this out and how to make it work again. see attached config and show/debug output and simple topology diagram for reference.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Jennifer Halim Thu, 06/07/2012 - 19:14

Access-list must mirror image between the 2 routers as you originally have.

Further to that, it is not recommended to configure other protocols (tcp/icmp) for crypto ACL. If you need to configure specific access, that can be done via firewall rules, not the crypto ACL.

Please reconfigure the crypto ACL 101 to be as you have originally and it should work again.

johnlloyd_13 Thu, 06/07/2012 - 20:13

hi jennifer,

thanks for your input! i've read again my notes and you're right, a symmetric crypto ACL must be configured for use by IPsec. i've put back the original ACL and it's working again.

nkarthikeyan Fri, 06/08/2012 - 05:26

VPN tunnel ACL should be matching between both the ends. It cannot vary. Thanks

Actions

Login or Register to take actions

This Discussion

Posted June 7, 2012 at 7:41 AM
Stats:
Replies:4 Avg. Rating:5
Views:435 Votes:0
Shares:0
Tags: ipsec, vpn, acl
+

Related Content

Discussions Leaderboard