Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1251
Views
0
Helpful
7
Replies

Trouble with ACL for Cryptomap/site to site vpn

Go to solution
Oeohfppe
Level 1
Level 1

‎06-29-2021 08:10 AM

Good morning, 

 

I am running into a problem with I think the ACL I have set up for this VPN. The goal, is to allow one host 192.168.33.9 to communicate with a printer over a vpn tunnel. I have this set up at 3 other locations with different equipment at it works fine. In running the command show crypto isakmp sa, it shows the tunnel as active, show crypto ipsec sa shows the tunnel as active.

 

This configuration is on a  ISR 4321 (trouble site) we have ASAs at the three sites that work. 

 

This is why I think it is an ACL issue. What I have configured for this VPN,

 

access-list 130 permit ip host 192.168.33.9 host H.H.H.H

 

crypto map VPNmap 130 ipsec-isakmp
description Tunnel to RRVR
set peer R.R.R.R
set transform-set ESP-AES256-SHA1
match address 130

 

 

Thanks for your time, I deeply appreciate your assistance. 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-30-2021 02:38 AM

 

In addition to what the others have suggested have you done a NAT exemption for the VPN tunnel traffic ?

 

Jon

View solution in original post

0 Helpful
7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-29-2021 08:42 AM

what is the Logs show and what i other side config ?

 

also post as mentioned your tunnel up ?

show crypto isakmp sa

show crypto ipsec sa

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Oeohfppe
Level 1
Level 1
In response to balaji.bandi

‎06-29-2021 09:00 AM

What logs would you like to see, I am not at all familiar with the ISR or the IOS. 

 

show crypto isakmp sa 

 

ISR-GW1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
L.L.L.L X.X.X.X QM_IDLE 13044 ACTIVE
L.L.L.L R.R.R.R QM_IDLE 13043 ACTIVE
L.L.L.L X.X.X.X QM_IDLE 13042 ACTIVE

IPv6 Crypto ISAKMP SA

 

show crypto ipsec sa

#show crypto ipsec sa

interface: GigabitEthernet0/0/0
Crypto map tag: VPNmap, local addr L.L.L.L

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.32.0/255.255.248.0/0/0)
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.254.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 404691252, #pkts encrypt: 404691252, #pkts digest: 404691252
#pkts decaps: 262974473, #pkts decrypt: 262974473, #pkts verify: 262974473
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: L.L.L.L, remote crypto endpt.: X.X.X.X
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0 /0/0
current outbound spi: 0x6B62317E(1801597310)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xC354FF86(3277127558)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6313, flow_id: ESG:4313, sibling_flags FFFFFFFF80004048, crypto map: VPNmap
sa timing: remaining key lifetime (k/sec): (4605922/2548)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x6B62317E(1801597310)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6314, flow_id: ESG:4314, sibling_flags FFFFFFFF80004048, crypto map: VPNmap
sa timing: remaining key lifetime (k/sec): (4605744/2548)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.32.0/255.255.248.0/0/0)
remote ident (addr/mask/prot/port): (192.168.8.0/255.255.254.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5580685, #pkts encrypt: 5580685, #pkts digest: 5580685
#pkts decaps: 4498351, #pkts decrypt: 4498351, #pkts verify: 4498351
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: L.L.L.L, remote crypto endpt.: X.X.X.X
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x22AB76B1(581662385)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xB193279B(2979211163)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6311, flow_id: ESG:4311, sibling_flags FFFFFFFF80004048, crypto map: VPNmap
sa timing: remaining key lifetime (k/sec): (4605109/1057)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x22AB76B1(581662385)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6312, flow_id: ESG:4312, sibling_flags FFFFFFFF80004048, crypto map: VPNmap
sa timing: remaining key lifetime (k/sec): (4599545/1057)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.33.9/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (H.H.H.H/255.255.255.255/0/0)
current_peer R.R.R.R port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: L.L.L.L, remote crypto endpt.: R.R.R.R
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x12E03C24(316685348)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x289AD8EB(681236715)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6315, flow_id: ESG:4315, sibling_flags FFFFFFFF80000048, crypto map: VPNmap
sa timing: remaining key lifetime (k/sec): (4608000/3274)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x12E03C24(316685348)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6316, flow_id: ESG:4316, sibling_flags FFFFFFFF80000048, crypto map: VPNmap
sa timing: remaining key lifetime (k/sec): (4608000/3274)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.32.0/255.255.248.0/0/0)
remote ident (addr/mask/prot/port): (H.H.H.H/255.255.255.255/0/0)
current_peer R.R.R.R port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: L.L.L.L, remote crypto endpt.: R.R.R.R
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

 

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎06-30-2021 01:54 AM

Hello,

 

I have seen it a few times where the legacy (outdated) crypto maps don't work well, you might want to try a SVTI. This needs to be set up on both sides...what equipment do you have on the other side ?

0 Helpful

Go to solution
Oeohfppe
Level 1
Level 1
In response to Georg Pauwen

‎06-30-2021 06:59 AM

I have no control over the other side, as it is a vendor's site. I will however look into SVTI, (not familiar with the term) to see if that might provide some help. 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-30-2021 02:38 AM

 

In addition to what the others have suggested have you done a NAT exemption for the VPN tunnel traffic ?

 

Jon

0 Helpful

Go to solution
Oeohfppe
Level 1
Level 1
In response to Jon Marshall

‎06-30-2021 07:02 AM

Jon, 

 

First thank you for your assistance. In the instructions I found there was no mention of NAT, which from setting up the three ASA I found strange. Can you provide an example of of the NAT exemption for the VPN tunnel you are talking about or a link to documentation about this? In the meantime, it is off to the great oracle google. 

0 Helpful
Customers Also Viewed These Support Documents