05-23-2017 10:52 AM - edited 02-21-2020 09:17 PM
There is something wrong with my configuration and I can't seem to figure out. Below is the output of the cisco8201 router if I try to send a ping from a host behind the asa firewall. Thanks.
router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
72.179.x.x 72.179.x.x QM_IDLE 1280 ACTIVE
IPv6 Crypto ISAKMP SA
router#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: vpnSite, local addr 72.179.x.x
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 72.179.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 72.179.191.71, remote crypto endpt.: 72.179.175.78
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
.
Solved! Go to Solution.
05-24-2017 08:22 AM
Hi
You have a mismatched ACL for the VPN "interesting traffic" on the ASA (it needs to be a mirror of the peer's ACL).
So, the following line:
access-list vpnAcl extended permit ip 192.168.1.0 255.255.255.0 any
it should be replaced with the following line:
access-list vpnAcl extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
Hope that has helped.
Kind regards
Rob
05-24-2017 08:22 AM
Hi
You have a mismatched ACL for the VPN "interesting traffic" on the ASA (it needs to be a mirror of the peer's ACL).
So, the following line:
access-list vpnAcl extended permit ip 192.168.1.0 255.255.255.0 any
it should be replaced with the following line:
access-list vpnAcl extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
Hope that has helped.
Kind regards
Rob
05-25-2017 02:33 PM
it worked!!!! wow. Thanks. Just a simple acl breaks the whole network..lol
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: