Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
0
Helpful
1
Replies

Route aggregation

pbrown
Level 1
Level 1

‎11-13-2002 11:49 AM - edited ‎03-09-2019 01:03 AM

I'm setting up a PIX to IOS IPSec VPN. The PIX is on the corporat side and there are several remote networks connected via private lines behind the PIX. The VPN works fine when using 24 bit access lists. If I try to aggregate all of the corp side networks, the tunnel breaks. Is there a fix?

======= WORKING CONFIG =========

crypto map pix 10 ipsec-isakmp

set peer x.x.x.x

set transform-set pix-set

match address 101

!

access-list 101 permit ip 172.25.10.0 0.0.0.255 172.17.10.0 0.0.0.255

!

======= NON-WORKING CONFIG =========

crypto map pix 10 ipsec-isakmp

set peer x.x.x.x

set transform-set pix-set

match address 101

!

access-list 101 permit ip 172.25.10.0 0.0.0.255 172.16.0.0 0.15.255.255

!

Thanks,

Patrick Brown

Labels:
0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎11-18-2002 10:06 PM

Do you change the access-list on the PIX to be the exact opposite of this at the same time? Do you remove the crypto map off the interface BEFORE changing the access-list, otherwise all traffic will lock up on this device? Do you clear the SA's on both sides?

There shouldn't be any issue with this, as long as the ACL matches on both ends. What do you mean by "the tunnel breaks" exactly?

0 Helpful
Customers Also Viewed These Support Documents