Thanks for the reply, but this doesnt work I have the more specific acl and even created a LOG to syslog and its matching correctly but doesnt work
any ideas On Wed, 2003-06-25 at 15:35, Robert Perez wrote: > I would do your more specific ACL entry and make sure your inverted mask is > correct such as 192.1.1.0 0.0.0.255. Once you do that then issue the > following commands to reset the tunnel and force a renegotiation. > > Clear crypto ipsec sa > clear crypto isakmp sa > > That should do it... > > -----Original Message----- > From: ian williams [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 25, 2003 8:33 AM > To: [EMAIL PROTECTED] > Subject: crypto maps and IPSEC tunnels [7:71341] > > > Hi > > I have just setup a IPSEC tunnel between to routers and tunneling a source > address of 192.168.50.1 going to a host on router B 172.x.x.x./24 Everything > works with the current configs given below. But I want to change the acl 101 > on router B from using a class A mask to something like a class C mask or > even a host address. I have changed the ACL 101 and even added a deny ip any > any log to the end to see what is being dropped. The VPN tunnel doesnt come > up unless I use a class A mask like showen below. I know this is an ACL but > is being used for matching traffic, do they work differently and dont > support host address ?? > > Thanks > > Ian > > > > Here is the config of router A > > > ! > crypto isakmp policy 10 > encr 3des > hash md5 > authentication pre-share > crypto isakmp key cisco address 10.10.10.10 > ! > ! > crypto ipsec transform-set TEST esp-3des > ! > crypto map cisco 1 ipsec-isakmp > set peer 10.10.10.10 > set transform-set TEST > match address 101 > > access-list 101 permit ip 192.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 > access-list 101 permit ip 192.0.0.0 0.255.255.255 172.0.0.0 0.255.255.255 > > > > > > > > > > > > > > > Here is the config router B > > crypto isakmp policy 10 > encr 3des > hash md5 > authentication pre-share > crypto isakmp key password address 10.10.10.20 > ! > ! > crypto ipsec transform-set TEST esp-3des > ! > crypto map cisco 1 ipsec-isakmp > set peer 10.10.10.20 > set transform-set TEST > match address 101 > > access-list 101 permit ip 172.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255 > access-list 101 permit ip host 10.10.10.10 host 10.10.10.20 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71353&t=71341 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
