07-20-2017 06:47 AM - edited 03-05-2019 08:52 AM
Take a look at my config. I can ping a 172 address which is great and it shows the VPN is up. What I don't understand is how? 172 is not a static route and it is not in the routing table?
cdi-rtr01#ping 172.16.10.7 source 10.0.0.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.7, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.200
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
cdi-rtr01#sh ip route 172.16.10.7
% Network not in table
cdi-rtr01#sh run | sect cry
service password-encryption
crypto keyring bel-soc
pre-shared-key address 144.140.xxx.xxx key 9RECaYBLKxm2yGPGn
crypto isakmp policy 200
encr aes
authentication pre-share
group 2
lifetime 28800
crypto ipsec transform-set tset-belsoc esp-aes esp-sha-hmac
mode tunnel
crypto map mymap 1 ipsec-isakmp
set peer 144.140.xxx.xxx
set security-association lifetime seconds 7200
set transform-set tset-belsoc
set pfs group2
match address 101
crypto map mymap
cdi-rtr01#sh int gig 0/0.2000
GigabitEthernet0/0.2000 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is b838.618a.bb00 (bia b838.618a.bb00)
Description: Camperdown Dairy International (CDI) - Braeside - Telstra Fibre CCID:
Internet address is 103.225.xxx.xxx/30
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation 802.1Q Virtual LAN, Vlan ID 2000.
ARP type: ARPA, ARP Timeout 04:00:00
Keepalive set (10 sec)
Last clearing of "show interface" counters never
cdi-rtr01#sh ip rout
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 103.225.xxx.xxx to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 103.225.xxx.xxx, GigabitEthernet0/0.2000
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.0.0/24 is directly connected, GigabitEthernet0/0.3
L 10.0.0.200/32 is directly connected, GigabitEthernet0/0.3
103.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 103.225.xxx.xxx/30 is directly connected, GigabitEthernet0/0.2000
L 103.225.xxx.xxx/32 is directly connected, GigabitEthernet0/0.2000
C 103.225.xxx.xxx/30 is directly connected, GigabitEthernet0/1
L 103.225.xxx.xxx/32
cdi-rtr01#sh access-lists 101
Extended IP access list 101
10 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.15.255.255 (47 matches)
Solved! Go to Solution.
07-20-2017 08:43 AM
I think this is due to your source IP and destination IP matching your ACL which is referenced in your crypto map.
You have a default route pointing out GigabitEthernet0/0.2000 which has crypto map applied. The crypto ACL would be processed first.
I am not 100% on this though.
07-20-2017 08:43 AM
I think this is due to your source IP and destination IP matching your ACL which is referenced in your crypto map.
You have a default route pointing out GigabitEthernet0/0.2000 which has crypto map applied. The crypto ACL would be processed first.
I am not 100% on this though.
07-20-2017 08:52 PM
Thanks for your reply. Yes I agree with you. I just wanted someone else to say it because I thought I was going crazy lol. I guess the default route covers it right?
07-20-2017 10:51 PM
For the order of operations I have been looking at, my understanding is the default route in your case 'catches' it. Then as part of the egress order of operations your traffic is encrypted due to your Crypto map / ACL matching.
http://etherealmind.com/cisco-ios-order-of-operation/
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide