Router A internal network 10.1.1.0 needs to access internet network 22.214.171.124. IPsec configuration tells the router to run it through the tunnel which terminates on internal interface 10.2.1.1 of a remote head end ASA with an external facing interface to network 126.96.36.199. This ASA is behind Router B.
Internal 10.1.1.1<--RouterA-->MPLS Cloud<--Router B-->Internal 10.2.1.1<--ASA--> 188.8.131.52
My crypto map ACL's are not matching interesting traffic that I'm generating. I tested using a "permit ip any any" ACL and the tunnel comes up. But it's not matching the specific subnets I want to use.
object network ANNEX_10.1.1.0
subnet 10.1.1.0 255.255.255.0
object network XXXX_network_184.108.40.206
subnet 220.127.116.11 255.255.0.0
access-list TEST_ENCRYPTION_TO_ANNEX extended permit ip object XXXX_network_18.104.22.168 object ANNEX_10.1.1.0
ip access-list extended XXXX_VPN
permit ip 10.1.1.0 0.0.0.255 22.214.171.124 0.0.255.255 log
crypto map XXXX_CMAP 10 ipsec-isakmp
set peer 10.2.1.1
set transform-set XXXX_TSET
match address XXXX_VPN
encapsulation dot1Q 60
ip address 10.1.1.1 255.255.255.0
crypto map XXXX_CMAP
Any help appreciated,
Can you please clarify this statement.
"My crypto map ACL's are not matching interesting traffic that I'm generating. I tested using a "permit ip any any" ACL and the tunnel comes up. But it's not matching the specific subnets I want to use."
Does this mean that, when you use 'Permit ip any any' statement, then you are trying to access 162.143.X.X subnet from router A internal network 10.1.1.X which makes tunnel to come up ? Or you are accessing the subnet from some other subnet ?
Do you have the required routing in place ? can you check if you have the route on Router A for 162.143.X.X subnet with exit interface as Gi0/0.60 ?
Thank you for the prompt response.
When I use "permit ip any any" and source a ping from interface Gi0/0.60 (10.1.1.1) to 126.96.36.199 the tunnel comes up. Although I can't reach the 188.8.131.52 network yet, I think that may be a NAT or other Phase 2 issue.
There is an existing redistributed route to that network, but not through the tunnel. I assumed the crypto map on the interface would supersede any other routes and automatically force traffic from 10.1.1.0 destined for 184.108.40.206 through the tunnel. Is that not the case?
Thank you again!
I don't think, Crypto Map can enforce the routing table though PBR can do.
As i know you have to route the traffic manually for 160.143.X.X with exit interface Gi0/0.60.
I have a curiosity that, why you are making a IPSec tunnel on Private network, when you already have MPLS-VPN in place.
Thank you. I will try to add a PBR policy to see if that works. MPLS does not inherently provide encryption which is a requirement for the particular traffic we're trying to route across it.