sorry for omitting those initially.

our end is an ASA and other end has cisco router.

Ipsec tunnel comes up without any problem at first and if ping is done from 172.16.100.2 or so ip to 192.168.100.0 /24 it works well.

however, whenever the remote end 172.16.100.0 255.255.255.248 pings or does traceroute to 192.168.200.110 or 192.168.200.130 , the tunnel goes down.

hope this information is much clearer.

thanks.

so if i understand you right you say the tunnel gpoes down bcoz you dont see ping replies coming in

if that is the reason assuming access-list 195 is the acl to define vpn traffic or crypto traffic, as you can see you are allowing only spefic ports through vpn for that ip's that is hwy you are not able to ping if you want to allow everything between the 2 hosts use the following on crypto acl on both ends

access-list 195 line 1 extended permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.248
access-list 195 line 2 extended permit ip host 192.168.200.110   172.16.100.0 255.255.255.248

access-list 195 line 2 extended permit ip host 192.168.300.130 172.16.100.0 255.255.255.248

the change has been highlighted in bold

does that mean if we try to initiate connection to traffic not covered under define acl 195 , the tunnel will go down.

in that case how do we nail down the traffic to only the required tcp or udp ones rather than ip ..

thanks.

the tunnel does not go down, the traffic does not go through the tunnel

so what ever tarffic is defined in that crypto acl only goes through the tunnel

can you please paste the output of

show run crypto -> on the asa

thanks,

i have masked some values.

crypto ipsec transform-set vpn esp-3des esp-md5-hmac
crypto map kepp 60 match address 195
crypto map kepp 60 set peer y.y.y.y
crypto map kepp 60 set transform-set vpn
crypto map kepp 60 set security-association lifetime seconds 28800
crypto map kepp 60 set security-association lifetime kilobytes 4608000
crypto map kepp interface External
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn VPNASABU.abc.com
subject-name CN=VPNASABU
serial-number
crl configure
crypto isakmp enable outside
crypto isakmp policy 60
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

Thank You

yeah so as i said before

make cahnegs to that acl on both ends and pings will start working

Hello!

As far as I know, the best practices are to select only "ip" for the access-list applied on the crypto map.

If you want to limit ports you can do it on your inside access-group ACLs for both ends or use a VPN-FIlter on the ASA.Here's a sample config for the VPN-Filters on the ASA:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

In any case.. if you are willing to test by limiting the protocol on the crypto map access-list, both ends most have exactly the same access-list (mirrored) for the VPN to work. I understand this makes the encryption process harder for the appliance since more Security Associations are created when specific ports are selected instead of when only IP is selected.

Regards,