Hello,

I have the above document, This means interesting traffic should be permited from HQ to anywhere????

1. , IF suppose i would have 2 branches with VPN and i want to allow the HQ user A to allow access the branch A and not to Branch B.
2. If suppose i have a user B in HQ  and i want to allow him to access the Brach B only

so in this situation what can be done.

Hi Jack,

When you change the interesting traffic ACL on the ASA you should do the same on the remote Router.

e.g ASA

access-list abc extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0

Remote Router

access-list abc extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0

Rememeber to put this line on your NO-NAT ACL.

This should work.

Are you using crypto maps or VTI on the router?

Hello Elias

I have done the above b4 but it does'nt work

Hi Jack,

After changinig your interesting traffic ACLs, did you clear the crypto SAs and IPSEC SAs and allowed the tunnel to re-establish with the new settings?

If so, what is the debug saying?

e.g. debug crypto isakmp 10

Check the bebug carefully and see why the tunnel fails to establish.

Hello

Now even though the ping is stopped, the phase I and phase II are complete but still the traffic does'nt pass.

Thanks

Hello,

(even though I doubt this could be an issue because the traffic went through the first time), By watching which line  u say this??? Can u highlight the line in my logs please.

Not related to the vpn problem above in general i m asking what these below  logs says:

*Jan 18 14:24:34.351: ISAKMP: DPD received KMI message.

*Jan 18 14:24:34.351: ISAKMP: IPSec requested DPD; SA state 0x0 or SA is null. Reinitiating phase 1.

*Jan 18 14:24:34.351: ISAKMP: Locking peer struct 0x47092658, refcount 1 for DPD/create new SA

*Jan 18 14:24:34.351: ISAKMP: local port 500, remote port 500

*Jan 18 14:24:34.351: insert sa successfully sa = 4751DE0C

*Jan 18 14:24:34.351: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Jan 18 14:24:34.351: ISAKMP:(0):found peer pre-shared key matching 192.168.20.1

*Jan 18 14:24:34.351: ISAKMP:(0): Unknown DOI 0

*Jan 18 14:24:34.351: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Jan 18 14:24:34.351: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Jan 18 14:24:34.351: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Jan 18 14:24:34.351: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Jan 18 14:24:34.351: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Jan 18 14:24:34.351: ISAKMP:(0): sending packet to 192.168.20.1 my_port 500 peer_port 500 (I) MM_NO_STATE

*Jan 18 14:24:34.355: ISAKMP (0:0): received packet from 192.168.20.1 dport 500 sport 500 Global (I) MM_NO_STATE

*Jan 18 14:24:34.355: ISAKMP:(0):Notify has no hash. Rejected.

*Jan 18 14:24:34.355: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1

*Jan 18 14:24:34.355: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Jan 18 14:24:34.355: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM1

*Jan 18 14:24:34.355: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 192.168.20.1....

Success rate is 0 percent (0/5)

Thanks

Now i changed the access-list according to the mirror of router still it doesnt work  it gives me the below error.in the debug of ASA

Session is being torn down. Reason: crypto map policy not found

I have mirrored the traffic and it worked. fine

Thanks all who contribute to give suggestions, i wll rate to all of your'll.