06-07-2012 07:41 AM
hi all,
i'm reviewing for my CCNA Security and currently at the VPN topic. initially, i had the router's ACL to permit their respective subnet and connectivity on both routers were ok.
R1(config)#access-list 110 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
R2(config)#access-list 101 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
i wanted to generate some debugs and modified R1's ACL and after that i wasn't able to ping R1 from R2:
R1(config)#access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
R1(config)#access-list 110 permit icmp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
R2#ping 10.0.1.3 source 10.0.2.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.3, timeout is 2 seconds:
Packet sent with a source address of 10.0.2.3
.....
Success rate is 0 percent (0/5)
i've tried to re-create the ACL and re-applied the crypto map on both routers but still failed.
please help me sort this out and how to make it work again. see attached config and show/debug output and simple topology diagram for reference.
06-07-2012 07:14 PM
Access-list must mirror image between the 2 routers as you originally have.
Further to that, it is not recommended to configure other protocols (tcp/icmp) for crypto ACL. If you need to configure specific access, that can be done via firewall rules, not the crypto ACL.
Please reconfigure the crypto ACL 101 to be as you have originally and it should work again.
06-07-2012 08:13 PM
hi jennifer,
thanks for your input! i've read again my notes and you're right, a symmetric crypto ACL must be configured for use by IPsec. i've put back the original ACL and it's working again.
06-07-2012 08:52 PM
Great, and thanks for your update. All the best with CCNA Security.
06-08-2012 05:26 AM
VPN tunnel ACL should be matching between both the ends. It cannot vary. Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide