10-25-2010 07:21 PM - edited 03-11-2019 12:00 PM
we have below list for an ipsec tunnel
access-list 195 line 1 extended permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.248
access-list 195 line 2 extended permit tcp host 192.168.200.110 eq 6600 172.16.100.0 255.255.255.248
access-list 195 line 2 extended permit udp host 192.168.300.130 172.16.100.0 255.255.255.248 eq domain
the other remote end of ipsec , when tries to even ping or trace to 192.168.200.110 or 192.168.300.130 , the vpn connection goes down.
why does it do so.
TIA.
Solved! Go to Solution.
10-25-2010 09:28 PM
so if you do not want to alow everything you can use wht you have in addition to that you can allow icmp betwene the 2 hosts for testing connectivity
access-list 195 extended permit icmp host 192.168.200.110 172.16.100.0 255.255.255.248
access-list 195 extended permit icmp host 192.168.300.130 172.16.100.0 255.255.255.248
hope this helps
let me know if you have more questions
10-25-2010 07:37 PM
hi
please brief u smore about what the 2 devices in question are and what kind of vpn is setup
also what exactly do you mean when you say that ping brings down the tunnel (is it that ping brings the tunnel down or the tunnel is not coming up at all )
10-25-2010 07:52 PM
sorry for omitting those initially.
our end is an ASA and other end has cisco router.
Ipsec tunnel comes up without any problem at first and if ping is done from 172.16.100.2 or so ip to 192.168.100.0 /24 it works well.
however, whenever the remote end 172.16.100.0 255.255.255.248 pings or does traceroute to 192.168.200.110 or 192.168.200.130 , the tunnel goes down.
hope this information is much clearer.
thanks.
10-25-2010 08:20 PM
so if i understand you right you say the tunnel gpoes down bcoz you dont see ping replies coming in
if that is the reason assuming access-list 195 is the acl to define vpn traffic or crypto traffic, as you can see you are allowing only spefic ports through vpn for that ip's that is hwy you are not able to ping if you want to allow everything between the 2 hosts use the following on crypto acl on both ends
access-list 195 line 1 extended permit ip 192.168.100.0 255.255.255.0 172.16.100.0 255.255.255.248
access-list 195 line 2 extended permit ip host 192.168.200.110 172.16.100.0 255.255.255.248
access-list 195 line 2 extended permit ip host 192.168.300.130 172.16.100.0 255.255.255.248
the change has been highlighted in bold
10-25-2010 08:37 PM
does that mean if we try to initiate connection to traffic not covered under define acl 195 , the tunnel will go down.
in that case how do we nail down the traffic to only the required tcp or udp ones rather than ip ..
thanks.
10-25-2010 08:53 PM
the tunnel does not go down, the traffic does not go through the tunnel
so what ever tarffic is defined in that crypto acl only goes through the tunnel
can you please paste the output of
show run crypto -> on the asa
10-25-2010 09:11 PM
thanks,
i have masked some values.
crypto ipsec transform-set vpn esp-3des esp-md5-hmac
crypto map kepp 60 match address 195
crypto map kepp 60 set peer y.y.y.y
crypto map kepp 60 set transform-set vpn
crypto map kepp 60 set security-association lifetime seconds 28800
crypto map kepp 60 set security-association lifetime kilobytes 4608000
crypto map kepp interface External
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn VPNASABU.abc.com
subject-name CN=VPNASABU
serial-number
crl configure
crypto isakmp enable outside
crypto isakmp policy 60
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Thank You
10-25-2010 09:23 PM
yeah so as i said before
make cahnegs to that acl on both ends and pings will start working
10-25-2010 09:28 PM
so if you do not want to alow everything you can use wht you have in addition to that you can allow icmp betwene the 2 hosts for testing connectivity
access-list 195 extended permit icmp host 192.168.200.110 172.16.100.0 255.255.255.248
access-list 195 extended permit icmp host 192.168.300.130 172.16.100.0 255.255.255.248
hope this helps
let me know if you have more questions
10-26-2010 03:18 PM
Hello!
As far as I know, the best practices are to select only "ip" for the access-list applied on the crypto map.
If you want to limit ports you can do it on your inside access-group ACLs for both ends or use a VPN-FIlter on the ASA.Here's a sample config for the VPN-Filters on the ASA:
In any case.. if you are willing to test by limiting the protocol on the crypto map access-list, both ends most have exactly the same access-list (mirrored) for the VPN to work. I understand this makes the encryption process harder for the appliance since more Security Associations are created when specific ports are selected instead of when only IP is selected.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide