Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
661
Views
0
Helpful
2
Replies

Tunnel IPSec, remote network can't ping crypto access list

ChristISM
Level 1
Level 1

‎10-20-2017 10:52 AM - edited ‎03-08-2019 12:26 PM

Hi!

 

I have Cisco C881W-A-K9, on firmware 15.2(4)M4, that is connected to a an ASA Firewall(supplier, ERP). I have also another tunnel which is connected to the main Office (Juniper)

 

When I run show crypto isakmp sa, the tunnel is Active but idle. On their end, they have a server which has to reach some devices, that are actuelly printers. I configured the access-list for the Crypto, this is all good, the tunnel goes active like I said.

 

The issue, they can't ping those devices, that I am able to ping from a network behind the Juniper. I am not able to find out why.

 

Here's a sample of the configuration:that I attached to the post (note, external IP and keys are replaced :) )

 

Any help is appreciated!

 

Thanks

Labels:
Preview file
12 KB
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎10-20-2017 11:20 AM

Hello,

 

I am not sure about this, but I seem to remember that having multiple transform sets in one single crypto map can cause problems. Try and use either one of them, but not both together...

 

0 Helpful

Meheretab Mengistu
Level 7
Level 7

‎10-22-2017 12:48 AM - edited ‎10-22-2017 12:49 AM

Hi,

 

Please try with "transport mode" by changing the lines as shown below:

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport

 

HTH,

Meheretab

HTH,
Meheretab
0 Helpful
Customers Also Viewed These Support Documents