Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Need some help with L2L tunnel "weirdness"

All,

I have a L2L tunnel with a vendor. The tunnel works, but I noticed last Friday that not all of the subnets that I want them to get to are configured under their crypto acl. I called the vendor this morning, and they are able to ping subnets that I don't have specified under their acl. I've never seen this before, but it's a little unnerving. They can add a subnet on their end and they can ping it on ours.

Here's the relevant config:

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map Outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-MD5

crypto dynamic-map Outside_dyn_map 40 set security-association lifetime seconds 28800

crypto dynamic-map Outside_dyn_map 40 set security-association lifetime kilobytes 4608000

crypto dynamic-map Outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 60 set security-association lifetime seconds 28800

crypto dynamic-map Outside_dyn_map 60 set security-association lifetime kilobytes 4608000

crypto dynamic-map Outside_dyn_map 80 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 80 set security-association lifetime seconds 28800

crypto dynamic-map Outside_dyn_map 80 set security-association lifetime kilobytes 4608000

crypto dynamic-map Outside_dyn_map 100 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 100 set security-association lifetime seconds 28800

crypto dynamic-map Outside_dyn_map 100 set security-association lifetime kilobytes 4608000

crypto dynamic-map Outside_dyn_map 120 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 120 set security-association lifetime seconds 28800

crypto dynamic-map Outside_dyn_map 120 set security-association lifetime kilobytes 4608000

crypto dynamic-map Outside_dyn_map 140 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 140 set security-association lifetime seconds 28800

crypto dynamic-map Outside_dyn_map 140 set security-association lifetime kilobytes 4608000

crypto map Outside_map 20 match address Outside_cryptomap_20

crypto map Outside_map 20 set peer 2xx.xx.xx.xx <- vendor ip

crypto map Outside_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map 20 set security-association lifetime seconds 28800

crypto map Outside_map 20 set security-association lifetime kilobytes 4608000

crypto map Outside_map 50 match address Alpine-L2L

crypto map Outside_map 50 set peer 9x.x.x.x

crypto map Outside_map 50 set transform-set ESP-3DES-SHA

crypto map Outside_map 50 set security-association lifetime seconds 28800

crypto map Outside_map 50 set security-association lifetime kilobytes 4608000

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

crypto isakmp identity hostname

crypto isakmp enable Outside

access-list Outside_cryptomap_20 line 1 extended permit ip 192.168.121.0 255.255.255.0 209.1x.xx.xxx 255.255.255.0 (hitcnt=32) 0x0a0cccd2

access-list Outside_cryptomap_20 line 2 extended permit ip 192.168.55.0 255.255.255.0 209.1x.xx.xxx 255.255.255.0 (hitcnt=3) 0xd4ae41c6

The above shows that they should be able to get to 192.168.55.0 and 192.168.121.0, but they can ping .1.0, .5.0, etc, and I show ipsec SAs when they do.

The acl, I'm assuming is passing traffic into a public dmz, but I'm waiting for more information on this from the vendor. This is something that I've just noticed and I didn't set this up originally.

Thanks,

John

HTH, John *** Please rate all useful posts ***
166
Views
0
Helpful
0
Replies
CreatePlease to create content