Hi,I have configured IPSEC Tunnel between my remote location to main location. And mapped to the serial interface. After this IPSEC is working fine. I am able to see the encryption and Dycription in "sh crypto engine conn active " command. But I am not able to telnet to the remote branch Ethernet IP(But I able to ping to it). This is happening even after configuring proper ACL's at both the ends. Can any one help out to resolve this Telnet problem??????
We do not have enough information here to diagnose very well what is the problem. Can you provide some information about the topology, details of how IPSec is configured, and most especially the details of the access lists (from both ends). If we have this perhaps we will be able to help find the problem.
I have looked at the information that you have posted and I have several things that I do not understand well. The config of the main location router has this source address 172.22.72.0 0.0.7.255 so I would expect to see those addresses as destinations in the access list of the remote, but it is not there. Also the access list at the remote has this source address 172.22.74.0 0.0.0.255 which is contained within the range of addresses specified at the main site. I asked for some information about topology which we do not yet have but it certainly looks like the central site is planning to talk to addresses 172.16.0.0 and 172.20.0.0 but I am not sure that these addresses are at the remote site. I also note that the access list is only permitting tcp. This means that only tcp will be protected by IPSec. So any UDP traffic and any ICMP traffic will not be in IPSec.
That probably explains why you can ping but can not telnet. The ping is not going through IPSec but the telnet is trying to go through IPSec.
Perhaps you can clear up some of these things and let us know what happens.
Sorry for the incomplete information provided. Actually we have a Central site and around 50 locations connected through serial leased lines to it(64 Kbps).
So we are runnig IPSEC over the leased lines.(Point to Point).I have again attached the correct running configurations of the sample one remote location and also related main location Routers config. Pl gothrough it sujjest the solution.
3) again I note that the access list is only matching TCP traffic. So only TCP traffic will be protected by IPSec. Is that what you intend?
Since the addresses used here are significantly different from the other ones that you posted, perhaps you could also clarify what the problem is here. If there is a problem with telnet could you be specific about what source address is in the telnet and what destination address is used by the telnet?
I will look in to all your suggestions and I will let you know. But here I just want to tell you that we are trying to telnet from 172.16.200.0 subnet to the remote branch ethernet(172.16.6.1). So we should be able to telnet with above ACL's right??? Pl clarify.....
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...