11-12-2008 10:16 PM - edited 03-04-2019 12:18 AM
Hi Experts,
I wan to check if let's say for this encrpytion as below, will it work if the match address is different access-list?
Is it okay if match address 108 is permit any any? Thanks.
For example, below 10.18.50.1 at Segment A is communicating with 10.18.40.1 at Segment B on this encrpytion traffic.
Router A#
crypto map NVR 15 ipsec-isakmp
set peer 10.18.20.5
set transform-set NVRS
match address 107
access-list 107 permit ip host 10.18.50.1 host 10.18.40.1
Router B#
crypto map NVR 15 ipsec-isakmp
set peer 10.18.20.6
set transform-set NVRS
match address 108
access-list 108 permit ip any any
Solved! Go to Solution.
11-12-2008 10:42 PM
Hi Cindy,
According to my observations the access-lists defining the interesting traffic should be symmetrical on the VPN endpoints. Else the IPSec negotiation will fail and the VPN tunnel will not be formed.
So access-list 108 should be the following:
access-list 108 permit ip host 10.18.40.1 host 10.18.50.1
Cheers:
Istvan
11-12-2008 10:42 PM
Hi Cindy,
According to my observations the access-lists defining the interesting traffic should be symmetrical on the VPN endpoints. Else the IPSec negotiation will fail and the VPN tunnel will not be formed.
So access-list 108 should be the following:
access-list 108 permit ip host 10.18.40.1 host 10.18.50.1
Cheers:
Istvan
11-12-2008 11:28 PM
Thanks Istvan.
I got it now.. :)
That's is very helpful..
rgds,
cindy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide