You will solve this problem if you first remove the "crypto map xxx" in the interface where you attach this "crypto map xxx", then you can remove access-list or change configuration in the crypto map,etc. When you finish the reconfiguration, you put again the "crypto map" in the correct interface.
Hope this help. -- -- Alfredo Pulido [EMAIL PROTECTED] CCDA Dept. Sistemas, IdecNet S.A. Juan XXIII 44 // E-35004 Las Palmas de Gran Canaria, Las Palmas // SPAIN Tel: +34 828 111 000 Fax: +34 828 111 112 http://www.idecnet.com/ -- ""Jim Gillen"" escribis en el mensaje [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Pat > > Some comments: > > 1. For IPSec to work the access list at the other end for the crypto map > priority that is matched in the SA must be the mirror of yours ie. > > access-list 120 permit ip 10.54.1.0 0.0.0.255 > 10.55.1.0 0.0.0.255 > > 2. issue a "sh crypto ipsec sa" command with the access list still active and > the with the access list deleted. The output of this command will tell you if > any IPSec connections have been formed. > > 3. Try a "debug crypto isakmp" and "debug crypto ipsec" and apply the crypto > map to the interface and watch the debug output. Example outputs are on the > CCO... > > > 3. Is this same access list applied to the interface you telnet to the other > router in such a way that removing it leaves a deny any any on that interface > ( I assume the access list 20 you refer to is actually access list 120)? > > Hope this helps. > > > > > > Cheers > > Jim Gillen > > Snr Communications Engineer > AUSTRAC > > Ph: 9950 0842 > Fax: 9950 0074 > > > > >>> pat 21/05/02 14:00:38 >>> > This message has been scanned by MAILSweeper. > ************************************************************ > > I am trying to set up site to site tunnel between > cisco routers. I am having problem with crypto access > list on remote outers. I am configrung access-list 120 > & crypto commands as follows > > > crypto isakmp policy 10 > authentication pre-share > crypto isakmp key ****** address XX.XX.XX.XX > ! > ! > crypto ipsec transform-set test esp-3des esp-md5-hmac > ! > crypto map test 20 ipsec-isakmp > set peer XX.XX.XX.XX > set transform-set test > match address 120 > > > access-list 120 permit ip 10.55.1.0 0.0.0.255 > 10.54.1.0 0.0.0.255 > > > I have acess to remote routers through telnet over the > internet. List 20 is in no way related to my access. > But when I try to remove access-list 20 i loose my > telnet session & can't ping it either. This happened > on multiple remote routers. I am using > IOS (tm) C2600 Software (C2600-IK9O3S-M), Version > 12.2(3), RELEASE SOFTWARE (fc1) > > In ideas why this is happening ? > > Thank you all, > Pat > > > __________________________________________________ > Do You Yahoo!? > LAUNCH - Your Yahoo! Music Experience > http://launch.yahoo.com > __________________________________________________________________ > To unsubscribe from the SECURITY list, send a message to > [EMAIL PROTECTED] with the body containing: > unsubscribe SECURITY > > > ********************************************************************** > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote also confirms that this email message has been swept by > MIMEsweeper for the presence of computer viruses. > > www.mimesweeper.com > ********************************************************************** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44645&t=44598 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
