Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

Ipsec match address statement

In the following config we want to

have any as source but only acc. 160 works.

!

crypto map tnm-vpn 2 ipsec-isakmp

set peer 1.1.1.1

set transform-set trippel-des

match address 160

!

access-list 160 permit ip host 192.168.254.1 host 10.224.0.1

!

ip access-list extended test

permit ip any 10.224.0.0 0.0.255.255

permit ip any 10.225.0.0 0.0.255.255

!

any ideas ?

regards

bjornarsb

3 REPLIES

Re: Ipsec match address statement

Hi,

The ACL that you use in the crypto map should be an exact mirror copy between the IPSEC peers.

When you change the acl at one end, you need to ensure that the exact mirror copy is available in the other peer's crypto map.else this will not work.

Check this post for similar issue.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddbfd63

-VJ

Bronze

Re: Ipsec match address statement

Thanks !

Re: Ipsec match address statement

Hi

If i understand your query properly at present you are having problems in matching the interesting traffic.

do create an access-list allowing the required permit statements and bind it under the crypto map.remove the existing match statement before configuring the new one.

Instead of configuring any in the access list would suggest to mention the local lan subnet being used there in your site.

regds

122
Views
5
Helpful
3
Replies