Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

vpn fails with crypto map match address <acl>

Hi,

I'm connecting to a pix 501 with the cisco vpn client 4.7. It works if I do not have the match address acl in the dynamic-map, but fails if I put the match address rule in.

Works:

ccess-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list DYN-VPN-ACL permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

ip local pool vpnpool 192.168.2.10-192.168.2.50 mask 255.255.255.0

nat (inside) 0 access-list nonat

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa-server partnerauth protocol radius

aaa-server partnerauth max-failed-attempts 3

aaa-server partnerauth deadtime 10

aaa-server partnerauth (inside) host 192.168.1.5 ****** timeout 5

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication partnerauth

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup group1 address-pool vpnpool

vpngroup group1 dns-server 192.168.1.5

vpngroup group1 default-domain alternatives.org

vpngroup group1 split-tunnel DYN-VPN-ACL

vpngroup group1 idle-time 1800

vpngroup group1 password ********

Doesn't work if I add the matchaddress rule in the dynamic-map like so:

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto dynamic-map dynmap 10 match address DYN-VPN-ACL

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication partnerauth

crypto map mymap interface outside

Any hints?

1 REPLY
New Member

Re: vpn fails with crypto map match address <acl>

Try using a numbered acl for matching.

Regards,

Murali

428
Views
0
Helpful
1
Replies