12-06-2010 10:44 AM
I'm stumped here, for one of my tunnels I have a subnet thats is working:
-show crypto ipsec:
Crypto map tag: ntelagent, seq num: 7, local addr: 64.38.3.18
access-list VPNTunnel9 permit ip host hl7a.int6 204.145.246.0 255.255.255.0
local ident (addr/mask/prot/port): (hl7a.int6/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (204.145.246.0/255.255.255.0/0/0)
current_peer: 72.158.65.147
#pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
local crypto endpt.: 64.38.3.18, remote crypto endpt.: 72.158.65.147
Yet on the same tunnel I cannot get encrypts to a different host on the encryption domain:
-
access-list VPNTunnel9 permit ip host hl7a.int6 host 10.10.0.43
local ident (addr/mask/prot/port): (hl7a.int6/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.10.0.43/255.255.255.255/0/0)
current_peer: 72.158.65.147
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 323, #pkts decrypt: 323, #pkts verify: 323
local crypto endpt.: 64.38.3.18, remote crypto endpt.: 72.158.65.147
The configurations ACL configurations are identical for the crypto map and the no-nat:
access-list VPNTunnel9 extended permit ip host hl7a.int6 204.145.246.0 255.255.255.0
access-list VPNTunnel9 extended permit ip host hl7a.int6 host 10.10.0.43
access-list nonat extended permit ip host hl7a.int6 204.145.246.0 255.255.255.0
access-list nonat extended permit ip host hl7a.int6 host 10.10.0.43
Anyone have any ideas please??? If I'm getting decrypts but no encrypts that would mean the issue is on my side, right?
12-06-2010 11:27 AM
See if the routing is right.In order to reach 10.10.0.43 the route should point to the crypto map interface if your config is fine otherwise. Also inbound access-lists on the LAN interface can be checked.
Captures also should show you in which direction the packet is getting dropped.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide