Re: problem with crypto access list !!! [7:44598]
Thanks Alfredo. That helped. IT works now. Just needed to remove crypto map before access-list. --- Alfredo Pulido wrote: > You will solve this problem if you first remove the > "crypto map xxx" in the > interface where you attach this "crypto map xxx", > then you can remove > access-list or change configuration in the crypto > map,etc. When you finish > the reconfiguration, you put again the "crypto map" > in the correct > interface. > > > Hope this help. > > > > -- > -- > Alfredo Pulido [EMAIL PROTECTED] > CCDA > Dept. Sistemas, IdecNet S.A. > Juan XXIII 44 // E-35004 Las Palmas de Gran > Canaria, > Las Palmas // SPAIN > Tel: +34 828 111 000 Fax: +34 828 111 112 > http://www.idecnet.com/ > -- > ""Jim Gillen"" escribis en el mensaje > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Pat > > > > Some comments: > > > > 1. For IPSec to work the access list at the other > end for the crypto map > > priority that is matched in the SA must be the > mirror of yours ie. > > > > access-list 120 permit ip 10.54.1.0 0.0.0.255 > > 10.55.1.0 0.0.0.255 > > > > 2. issue a "sh crypto ipsec sa" command with the > access list still active > and > > the with the access list deleted. The output of > this command will tell you > if > > any IPSec connections have been formed. > > > > 3. Try a "debug crypto isakmp" and "debug crypto > ipsec" and apply the > crypto > > map to the interface and watch the debug output. > Example outputs are on > the > > CCO... > > > > > > 3. Is this same access list applied to the > interface you telnet to the > other > > router in such a way that removing it leaves a > deny any any on that > interface > > ( I assume the access list 20 you refer to is > actually access list 120)? > > > > Hope this helps. > > > > > > > > > > > > Cheers > > > > Jim Gillen > > > > Snr Communications Engineer > > AUSTRAC > > > > Ph: 9950 0842 > > Fax: 9950 0074 > > > > > > > > >>> pat 21/05/02 14:00:38 >>> > > This message has been scanned by MAILSweeper. > > > > > > > I am trying to set up site to site tunnel between > > cisco routers. I am having problem with crypto > access > > list on remote outers. I am configrung access-list > 120 > > & crypto commands as follows > > > > > > crypto isakmp policy 10 > > authentication pre-share > > crypto isakmp key ** address XX.XX.XX.XX > > ! > > ! > > crypto ipsec transform-set test esp-3des > esp-md5-hmac > > ! > > crypto map test 20 ipsec-isakmp > > set peer XX.XX.XX.XX > > set transform-set test > > match address 120 > > > > > > access-list 120 permit ip 10.55.1.0 0.0.0.255 > > 10.54.1.0 0.0.0.255 > > > > > > I have acess to remote routers through telnet over > the > > internet. List 20 is in no way related to my > access. > > But when I try to remove access-list 20 i loose my > > telnet session & can't ping it either. This > happened > > on multiple remote routers. I am using > > IOS (tm) C2600 Software (C2600-IK9O3S-M), Version > > 12.2(3), RELEASE SOFTWARE (fc1) > > > > In ideas why this is happening ? > > > > Thank you all, > > Pat > > > > > > __ > > Do You Yahoo!? > > LAUNCH - Your Yahoo! Music Experience > > http://launch.yahoo.com > > > __ > > To unsubscribe from the SECURITY list, send a > message to > > [EMAIL PROTECTED] with the body containing: > > unsubscribe SECURITY > > > > > > > ** > > This email and any files transmitted with it are > confidential and > > intended solely for the use of the individual or > entity to whom they > > are addressed. If you have received this email in > error please notify > > the system manager. > > > > This footnote also confirms that this email > message has been swept by > > MIMEsweeper for the presence of computer viruses. > > > > www.mimesweeper.com > > > ** [EMAIL PROTECTED] __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44917&t=44598 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: problem with crypto access list !!! [7:44598]
Thanks Alfredo. That helped. IT works now. Just needed to remove crypto map before access-list. --- Alfredo Pulido wrote: > You will solve this problem if you first remove the > "crypto map xxx" in the > interface where you attach this "crypto map xxx", > then you can remove > access-list or change configuration in the crypto > map,etc. When you finish > the reconfiguration, you put again the "crypto map" > in the correct > interface. > > > Hope this help. > > > > -- > -- > Alfredo Pulido [EMAIL PROTECTED] > CCDA > Dept. Sistemas, IdecNet S.A. > Juan XXIII 44 // E-35004 Las Palmas de Gran > Canaria, > Las Palmas // SPAIN > Tel: +34 828 111 000 Fax: +34 828 111 112 > http://www.idecnet.com/ > -- > ""Jim Gillen"" escribis en el mensaje > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Pat > > > > Some comments: > > > > 1. For IPSec to work the access list at the other > end for the crypto map > > priority that is matched in the SA must be the > mirror of yours ie. > > > > access-list 120 permit ip 10.54.1.0 0.0.0.255 > > 10.55.1.0 0.0.0.255 > > > > 2. issue a "sh crypto ipsec sa" command with the > access list still active > and > > the with the access list deleted. The output of > this command will tell you > if > > any IPSec connections have been formed. > > > > 3. Try a "debug crypto isakmp" and "debug crypto > ipsec" and apply the > crypto > > map to the interface and watch the debug output. > Example outputs are on > the > > CCO... > > > > > > 3. Is this same access list applied to the > interface you telnet to the > other > > router in such a way that removing it leaves a > deny any any on that > interface > > ( I assume the access list 20 you refer to is > actually access list 120)? > > > > Hope this helps. > > > > > > > > > > > > Cheers > > > > Jim Gillen > > > > Snr Communications Engineer > > AUSTRAC > > > > Ph: 9950 0842 > > Fax: 9950 0074 > > > > > > > > >>> pat 21/05/02 14:00:38 >>> > > This message has been scanned by MAILSweeper. > > > > > > > I am trying to set up site to site tunnel between > > cisco routers. I am having problem with crypto > access > > list on remote outers. I am configrung access-list > 120 > > & crypto commands as follows > > > > > > crypto isakmp policy 10 > > authentication pre-share > > crypto isakmp key ** address XX.XX.XX.XX > > ! > > ! > > crypto ipsec transform-set test esp-3des > esp-md5-hmac > > ! > > crypto map test 20 ipsec-isakmp > > set peer XX.XX.XX.XX > > set transform-set test > > match address 120 > > > > > > access-list 120 permit ip 10.55.1.0 0.0.0.255 > > 10.54.1.0 0.0.0.255 > > > > > > I have acess to remote routers through telnet over > the > > internet. List 20 is in no way related to my > access. > > But when I try to remove access-list 20 i loose my > > telnet session & can't ping it either. This > happened > > on multiple remote routers. I am using > > IOS (tm) C2600 Software (C2600-IK9O3S-M), Version > > 12.2(3), RELEASE SOFTWARE (fc1) > > > > In ideas why this is happening ? > > > > Thank you all, > > Pat > > > > > > __ > > Do You Yahoo!? > > LAUNCH - Your Yahoo! Music Experience > > http://launch.yahoo.com > > > __ > > To unsubscribe from the SECURITY list, send a > message to > > [EMAIL PROTECTED] with the body containing: > > unsubscribe SECURITY > > > > > > > ** > > This email and any files transmitted with it are > confidential and > > intended solely for the use of the individual or > entity to whom they > > are addressed. If you have received this email in > error please notify > > the system manager. > > > > This footnote also confirms that this email > message has been swept by > > MIMEsweeper for the presence of computer viruses. > > > > www.mimesweeper.com > > > ** [EMAIL PROTECTED] __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44917&t=44598 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: problem with crypto access list !!! [7:44598]
You will solve this problem if you first remove the "crypto map xxx" in the interface where you attach this "crypto map xxx", then you can remove access-list or change configuration in the crypto map,etc. When you finish the reconfiguration, you put again the "crypto map" in the correct interface. Hope this help. -- -- Alfredo Pulido [EMAIL PROTECTED] CCDA Dept. Sistemas, IdecNet S.A. Juan XXIII 44 // E-35004 Las Palmas de Gran Canaria, Las Palmas // SPAIN Tel: +34 828 111 000 Fax: +34 828 111 112 http://www.idecnet.com/ -- ""Jim Gillen"" escribis en el mensaje [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Pat > > Some comments: > > 1. For IPSec to work the access list at the other end for the crypto map > priority that is matched in the SA must be the mirror of yours ie. > > access-list 120 permit ip 10.54.1.0 0.0.0.255 > 10.55.1.0 0.0.0.255 > > 2. issue a "sh crypto ipsec sa" command with the access list still active and > the with the access list deleted. The output of this command will tell you if > any IPSec connections have been formed. > > 3. Try a "debug crypto isakmp" and "debug crypto ipsec" and apply the crypto > map to the interface and watch the debug output. Example outputs are on the > CCO... > > > 3. Is this same access list applied to the interface you telnet to the other > router in such a way that removing it leaves a deny any any on that interface > ( I assume the access list 20 you refer to is actually access list 120)? > > Hope this helps. > > > > > > Cheers > > Jim Gillen > > Snr Communications Engineer > AUSTRAC > > Ph: 9950 0842 > Fax: 9950 0074 > > > > >>> pat 21/05/02 14:00:38 >>> > This message has been scanned by MAILSweeper. > > > I am trying to set up site to site tunnel between > cisco routers. I am having problem with crypto access > list on remote outers. I am configrung access-list 120 > & crypto commands as follows > > > crypto isakmp policy 10 > authentication pre-share > crypto isakmp key ** address XX.XX.XX.XX > ! > ! > crypto ipsec transform-set test esp-3des esp-md5-hmac > ! > crypto map test 20 ipsec-isakmp > set peer XX.XX.XX.XX > set transform-set test > match address 120 > > > access-list 120 permit ip 10.55.1.0 0.0.0.255 > 10.54.1.0 0.0.0.255 > > > I have acess to remote routers through telnet over the > internet. List 20 is in no way related to my access. > But when I try to remove access-list 20 i loose my > telnet session & can't ping it either. This happened > on multiple remote routers. I am using > IOS (tm) C2600 Software (C2600-IK9O3S-M), Version > 12.2(3), RELEASE SOFTWARE (fc1) > > In ideas why this is happening ? > > Thank you all, > Pat > > > __ > Do You Yahoo!? > LAUNCH - Your Yahoo! Music Experience > http://launch.yahoo.com > __ > To unsubscribe from the SECURITY list, send a message to > [EMAIL PROTECTED] with the body containing: > unsubscribe SECURITY > > > ** > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote also confirms that this email message has been swept by > MIMEsweeper for the presence of computer viruses. > > www.mimesweeper.com > ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44645&t=44598 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: problem with crypto access list !!! [7:44598]
Pat Some comments: 1. For IPSec to work the access list at the other end for the crypto map priority that is matched in the SA must be the mirror of yours ie. access-list 120 permit ip 10.54.1.0 0.0.0.255 10.55.1.0 0.0.0.255 2. issue a "sh crypto ipsec sa" command with the access list still active and the with the access list deleted. The output of this command will tell you if any IPSec connections have been formed. 3. Try a "debug crypto isakmp" and "debug crypto ipsec" and apply the crypto map to the interface and watch the debug output. Example outputs are on the CCO... 3. Is this same access list applied to the interface you telnet to the other router in such a way that removing it leaves a deny any any on that interface ( I assume the access list 20 you refer to is actually access list 120)? Hope this helps. Cheers Jim Gillen Snr Communications Engineer AUSTRAC Ph: 9950 0842 Fax: 9950 0074 >>> pat 21/05/02 14:00:38 >>> This message has been scanned by MAILSweeper. I am trying to set up site to site tunnel between cisco routers. I am having problem with crypto access list on remote outers. I am configrung access-list 120 & crypto commands as follows crypto isakmp policy 10 authentication pre-share crypto isakmp key ** address XX.XX.XX.XX ! ! crypto ipsec transform-set test esp-3des esp-md5-hmac ! crypto map test 20 ipsec-isakmp set peer XX.XX.XX.XX set transform-set test match address 120 access-list 120 permit ip 10.55.1.0 0.0.0.255 10.54.1.0 0.0.0.255 I have acess to remote routers through telnet over the internet. List 20 is in no way related to my access. But when I try to remove access-list 20 i loose my telnet session & can't ping it either. This happened on multiple remote routers. I am using IOS (tm) C2600 Software (C2600-IK9O3S-M), Version 12.2(3), RELEASE SOFTWARE (fc1) In ideas why this is happening ? Thank you all, Pat __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com __ To unsubscribe from the SECURITY list, send a message to [EMAIL PROTECTED] with the body containing: unsubscribe SECURITY ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44598&t=44598 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
