11-16-2007 08:54 AM - edited 03-03-2019 07:34 PM
I have such a config on my cisco851
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 9.1.1.35
!
!
crypto IPSec transform-set test esp-3des esp-sha-hmac
!
crypto map vpn 1 IPSec-isakmp
set peer 9.1.1.35
set transform-set test
match address 100
!
!
!
interface Serial0/0
ip address 9.x.x.146 255.255.255.252
ip access-group 110 in
crypto map vpn
!
interface Ethernet0/1
ip address 10.0.68.1 255.255.255.0
half-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 9.1.1.145
!
!
access-list 100 permit ip 10.0.68.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 110 permit tcp any eq 500 any eq 500
!
What else access rule (110) do I need to add to let the IPSec through and block everything else
Solved! Go to Solution.
11-16-2007 09:07 AM
Hi
You will need to let ESP (Encapsulation Security Payload) through at the very minimum ie.
access-list 110 permit esp any any
HTH
Jon
11-16-2007 09:07 AM
Hi
You will need to let ESP (Encapsulation Security Payload) through at the very minimum ie.
access-list 110 permit esp any any
HTH
Jon
11-17-2007 12:55 AM
I believe that your protocol is incorrect it should be udp not tcp. It also seems as if you are missing the statement that applies your crypto map to an interface and you will need to enable ipsec on the outside interface. Lastly, you might need to implement the nat 0 statement depending upon your implementation. Hope this helps!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: