Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

VPN to specfic host

hi, i want to create vpn tunnel for specfic host not full range

ex) network range 10.1.1.0/24

Host 1 : 10.1.1.1

Host 2:  10.1.1.2

Host 3 : 10.1.1.3

Host 4:  10.1.1.4

so i created ACL with each host as source and destination x.y.z.w

now when i type show crypto ipsec sa

it shows the full subnet 10.1.1.0 and not the host ??????

Did i config correcttly ????                 

thankssss

Everyone's tags (2)
3 REPLIES
Cisco Employee

VPN to specfic host

Are you trying to create lan-to-lan vpn tunnel or vpn client?

Also can you please share your current configuration.

New Member

VPN to specfic host

Hi Jennifer,

It is site to site vpn, where specfic host are allowed to to access vpn tunnel.


for config. it is same for any vpn site to site, except


from R1

access-list xyz permit ip host 10.1.1.1 172.16.0.0 0.0.255.255
access-list xyz permit ip host 10.1.1.2 172.16.0.0 0.0.255.255
access-list xyz permit ip host 10.1.1.3 172.16.0.0 0.0.255.255
access-list xyz permit ip host 10.1.1.4 172.16.0.0 0.0.255.255


from R2

access-list xyz permit 172.16.0.0 0.0.255.255 host 10.1.1.1
access-list xyz permit 172.16.0.0 0.0.255.255 host 10.1.1.2
access-list xyz permit 172.16.0.0 0.0.255.255 host 10.1.1.3
access-list xyz permit 172.16.0.0 0.0.255.255 host 10.1.1.4

thankssssssssss

Cisco Employee

VPN to specfic host

If your crypto access-list "xyz" is host, the output of "show cryp ipsec sa" should also show host instead of subnet.

Did you use to have subnet and you have just recently change it to host? If you did, can you please clear the ipsec tunnel so it re-established a new SA.

358
Views
0
Helpful
3
Replies
CreatePlease to create content