What versions of code are you using on the routers. >>> pat 05/21/02 01:32 AM >>> Hello Jim, Thank you for the response.
1) When I said access-list 20 I meant 120. This is not applied to any interface. I am not doing telnet through tunnel. 2) Acess-lists are mirror image but the numbers are not same. One is 120 and other is 130. Does that matter ? 3) I have hub-spoke network. I am getting these problem on Spoke routers which are at remote site. Spoke 1: misconfigured 120. Tried to change it & lost connection. Spoke 2: was able to establish tunnel. Wanted to change list 120 to include loop back interface IPs so that I can do ping test. When I removed 120 I lost connection. Spoke 3: Used debug commands. Able to kick in tunneling process only through Hub router. But tunnel never established. Phase I never kicked in when I pinged from Spoke 3 router. Appeared as though list 120 was not working on spoke 3. So tried to remove & reapply. I lost connection when I removed it. 4) I am also using CBAC. But same problem appears with no CBAC. I actually tried Spoke 3 without CBAC. For me it sounds like some issue with Cisco IOS. But not sure. Don't know if anybody else on the group has faced same problem. Thanks, Pat --- Jim Gillen wrote: > Pat > > Some comments: > > 1. For IPSec to work the access list at the other > end for the crypto map priority that is matched in > the SA must be the mirror of yours ie. > > access-list 120 permit ip 10.54.1.0 0.0.0.255 > 10.55.1.0 0.0.0.255 > > 2. issue a "sh cryptoipsec sa" command with the > access list still active and the with the access > list deleted. The output of this command will tell > you if any IPSec connections have been formed. > > 3. Try a "debug crypto isakmp" and "debug crypto > ipsec" and apply the crypto map to the interface and > watch the debug output. Example outputs are on the > CCO... > > > 3. Is this same access list applied to the interface > you telnet to the other router in such a way that > removing it leaves a deny any any on that interface > ( I assume the access list 20 you refer to is > actually access list 120)? > > Hope this helps. > > > > > > Cheers > > Jim Gillen > > Snr Communications Engineer > AUSTRAC > > Ph: 9950 0842 > Fax: 9950 0074 > > > > >>> pat 21/05/02 14:00:38 >>> > This message has been scanned by MAILSweeper. > ************************************************************ > > I am trying to set up site to site tunnel between > cisco routers. I am having problem with crypto > access > list on remote outers. I am configrung access-list > 120 > & crypto commands as follows > > > crypto isakmp policy 10 > authentication pre-share > crypto isakmp key ****** address XX.XX.XX.XX > ! > ! > crypto ipsec transform-set test esp-3des > esp-md5-hmac > ! > crypto map test 20 ipsec-isakmp > set peer XX.XX.XX.XX > set transform-set test > match address 120 > > > access-list 120 permit ip 10.55.1.0 0.0.0.255 > 10.54.1.0 0.0.0.255 > > > I have acess to remote routers through telnet over > the > internet. List 20 is in no way related to my access. > But when I try to remove access-list 20 i loose my > telnet session & can't ping it either. This happened > on multiple remote routers. I am using > IOS (tm) C2600 Software (C2600-IK9O3S-M), Version > 12.2(3), RELEASE SOFTWARE (fc1) > > In ideas why this is happening ? > > Thank you all, > Pat > > > __________________________________________________ > Do You ahoo!? > LAUNCH - Your Yahoo! Music Experience > http://launch.yahoo.com > __________________________________________________________________ > To unsubscribe from the SECURITY list, send a > message to > [EMAIL PROTECTED] with the body containing: > unsubscribe SECURITY > > > ********************************************************************** > This email and any files transmitted with it are > confidential and > intended solely for the use of the individual or > entity to whom they > are addressed. If you have received this email in > error please notify > the system manager. > > This footnote also confirms that this email message > has been swept by > MIMEsweeper for the presence of computer viruses. > > www.mimesweeper.com > ********************************************************************** > __________________________________________________ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com __________________________________________________________________ To unsubscribe from the SECURITY list, send a message to [EMAIL PROTECTED] with the body containing: unsubscribe SECURITY Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44607&t=44607 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]