Cisco Community
English
Register
The War in Ukraine - Supporting customers, partners and communities. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
6493
Views
0
Helpful
2
Replies
cindylee27
Beginner
Beginner
‎11-12-2008 10:16 PM
‎11-12-2008 10:16 PM

IPSEC Crypto map match address is different...

Hi Experts,

I wan to check if let's say for this encrpytion as below, will it work if the match address is different access-list?

Is it okay if match address 108 is permit any any? Thanks.

For example, below 10.18.50.1 at Segment A is communicating with 10.18.40.1 at Segment B on this encrpytion traffic.

Router A#

crypto map NVR 15 ipsec-isakmp

set peer 10.18.20.5

set transform-set NVRS

match address 107

access-list 107 permit ip host 10.18.50.1 host 10.18.40.1

Router B#

crypto map NVR 15 ipsec-isakmp

set peer 10.18.20.6

set transform-set NVRS

match address 108

access-list 108 permit ip any any

Labels:
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
Istvan_Rabai
Rising star
Rising star
‎11-12-2008 10:42 PM
‎11-12-2008 10:42 PM

Hi Cindy,

According to my observations the access-lists defining the interesting traffic should be symmetrical on the VPN endpoints. Else the IPSec negotiation will fail and the VPN tunnel will not be formed.

So access-list 108 should be the following:

access-list 108 permit ip host 10.18.40.1 host 10.18.50.1

Cheers:

Istvan

View solution in original post

0 Helpful
2 REPLIES 2
Istvan_Rabai
Rising star
Rising star
‎11-12-2008 10:42 PM
‎11-12-2008 10:42 PM

Hi Cindy,

According to my observations the access-lists defining the interesting traffic should be symmetrical on the VPN endpoints. Else the IPSec negotiation will fail and the VPN tunnel will not be formed.

So access-list 108 should be the following:

access-list 108 permit ip host 10.18.40.1 host 10.18.50.1

Cheers:

Istvan

0 Helpful
cindylee27
Beginner
Beginner
In response to Istvan_Rabai
‎11-12-2008 11:28 PM
‎11-12-2008 11:28 PM

Thanks Istvan.

I got it now.. :)

That's is very helpful..

rgds,

cindy.

0 Helpful
Latest Contents
Upgrade Cisco DNA Center
Created by mclymer on 05-18-2022 12:20 PM
0
0
0
0
Learn more about Cisco DNA Center, Version 2.2.3.4
5-minute Cisco Survey – Enter Gift Card Giveaway!
Created by Robert Murphy on 05-18-2022 11:30 AM
1
5
1
5
Do you use Cisco DNA Center? Have you used and are you willing to provide your feedback in using the Cisco DNA Center help and documentation? If so, we’d like you to complete the survey linked below. Your feedback will help provide more effective and easi... view more
OSPF for CCIE Enterprise and Infrastructure Exam
Created by Meddane on 05-13-2022 02:24 AM
0
0
0
0
The ultimate is coming.  
Cisco Champion Radio: S9|E18 CC Unfiltered: Becoming an Expe...
Created by Amilee San Juan on 05-11-2022 12:57 PM
0
0
0
0
Listen: https://smarturl.it/CCRS9E18Follow us: https://twitter.com/CiscoChampion Reaching the height of your career is no simple feat. It often requires a combination of pursuing the right education, building the right professional network and being ... view more
SD-WAN and NAT Types
Created by Meddane on 05-08-2022 01:44 AM
0
0
0
0
In a typical production SD-WAN deployment, we would probably have many remote sites connected via many different Internet connections to a centralized data center or a regional hub. In most regions in the world, Internet providers will always use some typ... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad