Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ACL issue with IPSEC tunnel establishment

Hi

i m trying to establish a IPSEC tunnel between a router and checkpoint F/W.I hve already 12 locations running with the same setup establishing tunnel with the F/W.all the locations r having same H/W(1751) same IOS.

At present i m facing some probs in a particular location.Some of my colleagues has created 4 extended access list(101) with 2 unecessary things on tht.now i m trying to remove those 2 lines but i couldnt able to do.

i m first removing the crypto map from the bri interface,then removing the acces-list from the crypto map name 10 ipsec-isakmp,then removing those 2 lines which r not reqd.

but its getting disconneted while doing this.so i had to reset the router to bring up...

is ther any solution to remove those 2 lines without getting disconnnected ????

regds

prem

3 REPLIES
Cisco Employee

Re: ACL issue with IPSEC tunnel establishment

Hi Prem,

Could you post the output of sh crypto map? You should be able to modify the access-list if you've taken off the crypto map from the interface.

Thanks

Ranjana

Re: ACL issue with IPSEC tunnel establishment

Hi

At present hes not connected ,i will post the same once hes connected ....

Regds

prem

Re: ACL issue with IPSEC tunnel establishment

hi

this is the cyrpto map output..

router1r#sh crypto map

Crypto Map "vpn" 10 ipsec-isakmp

Peer = r.r.r.r

Extended IP access list 101

access-list 101 permit ip x.x.x.0 0.0.0.255d.d.d.0 0.0.0.255

access-list 101 permit ip n.n.n.0 0.0.0.255 d.d.d.0 0.0.0.255

access-list 101 permit ip n.n.n.0 0.0.0.255d.d.d.0 0.0.0.255

access-list 101 permit ip x.x.x.0 0.0.0.255 d.d.d.0 0.0.0.255

Current peer: r.r.r.r

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

omkvpn,

}

Interfaces using crypto map omkvpn:

BRI0:1

BRI0:2

Serial0

BRI0

BRI0:1

BRI0:2

router1r#

i want to remove these unwanted acls

access-list 101 permit ip n.n.n.0 0.0.0.255 d.d.d.0 0.0.0.255

access-list 101 permit ip n.n.n.0 0.0.0.255d.d.d.0 0.0.0.255

which i m not able to remvoe at present...

regds

prem

124
Views
0
Helpful
3
Replies
CreatePlease to create content