Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ip access-list on crypto map: behavior is different to the configuration

Hello,

I configured a IPSec between a hub-router and some spoke-routers. All things work fine.

My next step is to filter traffic between the sites by ACL's.

One of the ACL's is:

ip access-list extended gre_hub-spoke1

permit gre host 172.31.254.254 host 172.31.254.1

permit ip 10.70.0.0 0.0.0.255 192.168.10.0 0.0.0.255

This ACL matches to the crypto map:

crypto map gre-tunnel 10 ipsec-isakmp

set peer 172.31.254.1

set transform-set myset

match address gre_hub-spoke1

Why is the behavior different than configured?

The "permitted" communication is blocked, other traffic is forwarded.

Thanks and kind regards

Matthias

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: ip access-list on crypto map: behavior is different to the c

From the Crypto acl:

permit gre host 172.31.254.254 host 172.31.254.1 ---------------> SAs are built and the traffic is going through

permit ip 10.70.0.0 0.0.0.255 192.168.10.0 0.0.0.255 ---------------------> there are no SA built for it! Check for mirror image acl entry for it on other side in crypto acl.

HTH

Saju

Please rate if it helps.

3 REPLIES
Silver

Re: ip access-list on crypto map: behavior is different to the c

Hello,

Do you see IPSEC sa being built for that traffic? Post output of "show crypto ipsec sa". Do you see encrypts/decrypts ?

HTH

Saju

Please rate if it helps

New Member

Re: ip access-list on crypto map: behavior is different to the c

Hello,

thanks for your response. The output is attached, it's to long for posting it.

regards

Matthias

Silver

Re: ip access-list on crypto map: behavior is different to the c

From the Crypto acl:

permit gre host 172.31.254.254 host 172.31.254.1 ---------------> SAs are built and the traffic is going through

permit ip 10.70.0.0 0.0.0.255 192.168.10.0 0.0.0.255 ---------------------> there are no SA built for it! Check for mirror image acl entry for it on other side in crypto acl.

HTH

Saju

Please rate if it helps.

332
Views
0
Helpful
3
Replies