cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
401
Views
0
Helpful
3
Replies

Routing with access lists

Paul Smith
Level 1
Level 1

Take a look at my config. I can ping a 172 address which is great and it shows the VPN is up. What I don't understand is how? 172 is not a static route and it is not in the routing table?

cdi-rtr01#ping 172.16.10.7 source 10.0.0.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.7, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.200
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms

cdi-rtr01#sh ip route 172.16.10.7
% Network not in table

cdi-rtr01#sh run | sect cry

service password-encryption
crypto keyring bel-soc
pre-shared-key address 144.140.xxx.xxx key 9RECaYBLKxm2yGPGn
crypto isakmp policy 200
encr aes
authentication pre-share
group 2
lifetime 28800
crypto ipsec transform-set tset-belsoc esp-aes esp-sha-hmac
mode tunnel
crypto map mymap 1 ipsec-isakmp
set peer 144.140.xxx.xxx
set security-association lifetime seconds 7200
set transform-set tset-belsoc
set pfs group2
match address 101
crypto map mymap


cdi-rtr01#sh int gig 0/0.2000
GigabitEthernet0/0.2000 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is b838.618a.bb00 (bia b838.618a.bb00)
Description: Camperdown Dairy International (CDI) - Braeside - Telstra Fibre CCID:
Internet address is 103.225.xxx.xxx/30
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation 802.1Q Virtual LAN, Vlan ID 2000.
ARP type: ARPA, ARP Timeout 04:00:00
Keepalive set (10 sec)
Last clearing of "show interface" counters never


cdi-rtr01#sh ip rout
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 103.225.xxx.xxx to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 103.225.xxx.xxx, GigabitEthernet0/0.2000
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/24 is directly connected, GigabitEthernet0/0.3
L 10.0.0.200/32 is directly connected, GigabitEthernet0/0.3
103.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 103.225.xxx.xxx/30 is directly connected, GigabitEthernet0/0.2000
L 103.225.xxx.xxx/32 is directly connected, GigabitEthernet0/0.2000
C 103.225.xxx.xxx/30 is directly connected, GigabitEthernet0/1
L 103.225.xxx.xxx/32

cdi-rtr01#sh access-lists 101
Extended IP access list 101
10 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.15.255.255 (47 matches)

1 Accepted Solution

Accepted Solutions

GRANT3779
Spotlight
Spotlight

I think this is due to your source IP and destination IP matching your ACL which is referenced in your crypto map.

You have a default route pointing out GigabitEthernet0/0.2000 which has crypto map applied. The crypto ACL would be processed first.

I am not 100% on this though.

View solution in original post

3 Replies 3

GRANT3779
Spotlight
Spotlight

I think this is due to your source IP and destination IP matching your ACL which is referenced in your crypto map.

You have a default route pointing out GigabitEthernet0/0.2000 which has crypto map applied. The crypto ACL would be processed first.

I am not 100% on this though.

Thanks for your reply. Yes I agree with you. I just wanted someone else to say it because I thought I was going crazy lol. I guess the default route covers it right?

For the order of operations I have been looking at, my understanding is the default route in your case 'catches' it. Then as part of the egress order of operations your traffic is encrypted due to your Crypto map / ACL matching.

http://etherealmind.com/cisco-ios-order-of-operation/

Review Cisco Networking for a $25 gift card