12-17-2012 07:45 PM - edited 03-04-2019 06:26 PM
Diagram and configs as attached..order of the devices..
1800 --- 2800 --- 3750
The tunnel is up and I can access to 10.66.0.0/16 from 172.55.0.0 but not from 10.55.0.0
No idea what went wrong.. hope to get some ideas from experts here..
Another this i noticed, if i ping from 10.55.0.0, it will not build the tunnel..(which means 10.55.0.0 is not considered as interesting traffic)
BTW, nothing other than the VPN config can be amended, as im just helping to setup the tunnel..
12-18-2012 12:42 AM
Can you try modifying:
ip access-list extended Nat-Add
deny ip any 10.0.0.0 0.0.0.255
to:
ip access-list extended Nat-Add
deny ip any 10.55.0.0 0.0.255.255
This entry will need to be near the top of the ACL. I can't believe I missed the subnet mask earlier -- as you mentioned you had matches for the "deny ip any 172.55.0.0 0.0.255.255" statement, but traffic destined for the 10.55.0.0 network wouldn't match the original ACL entry of 10.0.0.0/24.
Hope that helps!
12-18-2012 12:51 AM
tried, there are matches on the ACL but not the ipsec sa decrpt/encrypt packets..
12-18-2012 01:03 AM
Those NAT exemption statements still seem backwards to me.
Can you post the output of "sh crypto ipsec sa" and "sh crypto isakmp sa" when the tunnel is up?
12-18-2012 01:38 AM
2800#sh crypto isakmp sa de
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1099 225.253.96.144 101.92.100.194 ACTIVE aes sha psk 2 00:59:38 DK
Engine-id:Conn-id = SW:99
IPv6 Crypto ISAKMP SA
2800#sh crypto ipsec sa
interface: Loopback0
Crypto map tag: VPN_TUNNEL, local addr 225.253.96.144
protected vrf: (none)
local ident (addr/mask/prot/port): (172.55.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.66.0.0/255.255.0.0/0/0)
current_peer 101.92.100.194 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 22555, #pkts encrypt: 22555, #pkts digest: 22555
#pkts decaps: 22547, #pkts decrypt: 22547, #pkts verify: 22547
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 22, #recv errors 0
local crypto endpt.: 225.253.96.144, remote crypto endpt.: 101.92.100.194
path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0x541903AD(1410925485)
inbound esp sas:
spi: 0xB20CE189(2987188617)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2017, flow_id: FPGA:17, crypto map: VPN_TUNNEL
sa timing: remaining key lifetime (k/sec): (4510745/28736)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x541903AD(1410925485)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2018, flow_id: FPGA:18, crypto map: VPN_TUNNEL
sa timing: remaining key lifetime (k/sec): (4510744/28730)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.55.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.66.0.0/255.255.0.0/0/0)
current_peer 101.92.100.194 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 225.253.96.144, remote crypto endpt.: 101.92.100.194
path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
12-18-2012 08:03 AM
Is there any chance the remote end is missing an ACL entry for the 10.55.0.0/16 subnet?
Can you post the remote config?
Sent from Cisco Technical Support iPhone App
12-18-2012 08:59 PM
remote is using ASA, they cant share full configs, only the VPN relatied configs..
crypto map BPAS 50 match address tun-up-Melb-Pectera-office
crypto map BPAS 50 set pfs
crypto map BPAS 50 set peer 225.253.96.144
crypto map BPAS 50 set transform-set 3dessha
crypto map BPAS 50 set security-association lifetime seconds 28800
crypto map BPAS 50 set security-association lifetime kilobytes 4608000
crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac
access-list tun-up-office extended permit ip Office-all 255.255.0.0 10.55.0.0 255.255.0.0
access-list tun-up-office extended permit ip Office-all 255.255.0.0 172.55.0.0 255.255.0.0
name 10.66.0.0 Office-all
access-list no-nat extended permit ip Office-all 255.255.0.0 10.55.0.0 255.255.0.0
access-list no-nat extended permit ip Office-all 255.255.0.0 172.55.0.0 255.255.0.0
12-18-2012 10:37 PM
A couple issues....the crypto ACL posted doesn't match the one in the crypto map, also the peer doesn't match the provided diagram, I may be misremembering but I don't recall seeing PFS configured on the 2800.
I'll review again in the morning.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide