Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Interperting sh crypto ipsec sa command in ASA5505

Trying to verify that there is no restricted traffic traveling through the vpn tunnel. That the vpn tunnel acts like a trusted network and all ports and protocols are passed and not blocked.

After entering "sh crypto ipsec sa" command, there are a couple of lines that I wanted to confirm with someone here who might know.

Asa5505-1

local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.4.1.0/255.255.255.0/0/0)

ASA5505-2

local ident (addr/mask/prot/port): (10.4.5.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.1.5.0/255.255.255.0/0/0)

Do these lines from the sh crypto ipec sa show that the traffic going through the tunnel is unrestricted? In particular the zero's for the protocol and ports that are in bold? Does that represent ANY protocol, ANY port?

2 REPLIES
Hall of Fame Super Blue

Re: Interperting sh crypto ipsec sa command in ASA5505

It represents any IP packet (because IPSEC is transported in IP) which includes TCP/UDP/ICMP and any port number. Easiest way to verify is simply to look at your crypto acl.

Jon

New Member

Re: Interperting sh crypto ipsec sa command in ASA5505

I have checked my acl's repeatedly. The reason I'm asking this question is that I have one site to site vpn tunnel up and running. The original networks that are associated with this tunnel are 10.1.1.0 (class c) to 10.4.1.0 (class c). This works just fine, all traffic is passed no matter the protocol or port. But I added another set of networks to the tunnel (same site to site tunnel), 10.1.5.0 (class c) to 10.4.5.0 (class c). When I check connectivity between these networks (10.1.5.0 to 10.4.5.0) I can ping accross the tunnel back and forth. But I can't get passed pinging between the added networks. It seems I can't have any tcp sessions. I tried RDP from one pc to another, telnetting to cisco devices, etc. No go. The only thing I can do between these 2nd pair of networks is ping. Do you know if this is even possible between two asa5505 with the basic license running version 7.24? Anything you might know to help me resolve this issue would be most appreciated. My running config's are attached along with the sh crypto ipsec sa configs.

Thanks

351
Views
5
Helpful
2
Replies