Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

IPSEC Crypto map match address is different...

Hi Experts,

I wan to check if let's say for this encrpytion as below, will it work if the match address is different access-list?

Is it okay if match address 108 is permit any any? Thanks.

For example, below 10.18.50.1 at Segment A is communicating with 10.18.40.1 at Segment B on this encrpytion traffic.

Router A#

crypto map NVR 15 ipsec-isakmp

set peer 10.18.20.5

set transform-set NVRS

match address 107

access-list 107 permit ip host 10.18.50.1 host 10.18.40.1

Router B#

crypto map NVR 15 ipsec-isakmp

set peer 10.18.20.6

set transform-set NVRS

match address 108

access-list 108 permit ip any any

1 ACCEPTED SOLUTION

Accepted Solutions

Re: IPSEC Crypto map match address is different...

Hi Cindy,

According to my observations the access-lists defining the interesting traffic should be symmetrical on the VPN endpoints. Else the IPSec negotiation will fail and the VPN tunnel will not be formed.

So access-list 108 should be the following:

access-list 108 permit ip host 10.18.40.1 host 10.18.50.1

Cheers:

Istvan

2 REPLIES

Re: IPSEC Crypto map match address is different...

Hi Cindy,

According to my observations the access-lists defining the interesting traffic should be symmetrical on the VPN endpoints. Else the IPSec negotiation will fail and the VPN tunnel will not be formed.

So access-list 108 should be the following:

access-list 108 permit ip host 10.18.40.1 host 10.18.50.1

Cheers:

Istvan

New Member

Re: IPSEC Crypto map match address is different...

Thanks Istvan.

I got it now.. :)

That's is very helpful..

rgds,

cindy.

4426
Views
0
Helpful
2
Replies
CreatePlease to create content