Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

tunnel drop

we have below list for an ipsec tunnel

access-list 195 line 1 extended permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.248
access-list 195 line 2 extended permit tcp host 192.168.200.110 eq 6600  172.16.100.0 255.255.255.248

access-list 195 line 2 extended permit udp host 192.168.300.130 172.16.100.0 255.255.255.248 eq domain

the other remote end of ipsec , when tries to even ping or trace to 192.168.200.110 or 192.168.300.130 , the vpn connection goes down.

why does it do so.

TIA.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: tunnel drop

so if you do not want to alow everything you can use wht you have in addition to that you can allow icmp betwene the 2 hosts for testing connectivity

access-list 195 extended permit icmp host 192.168.200.110   172.16.100.0 255.255.255.248

access-list 195 extended permit icmp host 192.168.300.130 172.16.100.0 255.255.255.248

hope this helps

let me know if you have more questions

9 REPLIES
Cisco Employee

Re: tunnel drop

hi

please brief u smore about what the 2 devices in question are and what kind of vpn is setup

also what exactly do you mean when you say that ping brings down the tunnel (is it that ping brings the tunnel down or the tunnel is not coming up at all )

Community Member

Re: tunnel drop

sorry for omitting those initially.

our end is an ASA and other end has cisco router.

Ipsec tunnel comes up without any problem at first and if ping is done from 172.16.100.2 or so ip to 192.168.100.0 /24 it works well.

however, whenever the remote end 172.16.100.0 255.255.255.248 pings or does traceroute to 192.168.200.110 or 192.168.200.130 , the tunnel goes down.

hope this information is much clearer.

thanks.

Cisco Employee

Re: tunnel drop

so if i understand you right you say the tunnel gpoes down bcoz you dont see ping replies coming in

if that is the reason assuming access-list 195 is the acl to define vpn traffic or crypto traffic, as you can see you are allowing only spefic ports through vpn for that ip's that is hwy you are not able to ping if you want to allow everything between the 2 hosts use the following on crypto acl on both ends

access-list 195 line 1 extended permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.248
access-list 195 line 2 extended permit ip host 192.168.200.110   172.16.100.0 255.255.255.248

access-list 195 line 2 extended permit ip host 192.168.300.130 172.16.100.0 255.255.255.248

the change has been highlighted in bold

Community Member

Re: tunnel drop

does that mean if we try to initiate connection to traffic not covered under define acl 195 , the tunnel will go down.

in that case how do we nail down the traffic to only the required tcp or udp ones rather than ip ..

thanks.

Cisco Employee

Re: tunnel drop

the tunnel does not go down, the traffic does not go through the tunnel

so what ever tarffic is defined in that crypto acl only goes through the tunnel

can you please paste the output of

show run crypto -> on the asa

Community Member

Re: tunnel drop

thanks,

i have masked some values.

crypto ipsec transform-set vpn esp-3des esp-md5-hmac
crypto map kepp 60 match address 195
crypto map kepp 60 set peer y.y.y.y
crypto map kepp 60 set transform-set vpn
crypto map kepp 60 set security-association lifetime seconds 28800
crypto map kepp 60 set security-association lifetime kilobytes 4608000
crypto map kepp interface External
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn VPNASABU.abc.com
subject-name CN=VPNASABU
serial-number
crl configure
crypto isakmp enable outside
crypto isakmp policy 60
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

Thank You

Cisco Employee

Re: tunnel drop

yeah so as i said before

make cahnegs to that acl on both ends and pings will start working

Cisco Employee

Re: tunnel drop

so if you do not want to alow everything you can use wht you have in addition to that you can allow icmp betwene the 2 hosts for testing connectivity

access-list 195 extended permit icmp host 192.168.200.110   172.16.100.0 255.255.255.248

access-list 195 extended permit icmp host 192.168.300.130 172.16.100.0 255.255.255.248

hope this helps

let me know if you have more questions

Community Member

Re: tunnel drop

Hello!

As far as I know, the best practices are to select only "ip" for the access-list applied on the crypto map.

If you want to limit ports you can do it on your inside access-group ACLs for both ends or use a VPN-FIlter on the ASA.Here's a sample config for the VPN-Filters on the ASA:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

In any case.. if you are willing to test by limiting the protocol on the crypto map access-list, both ends most have exactly the same access-list (mirrored) for the VPN to work. I understand this makes the encryption process harder for the appliance since more Security Associations are created when specific ports are selected instead of when only IP is selected.

Regards,

458
Views
11
Helpful
9
Replies
CreatePlease to create content