ipsec vpn acl issue

danny.carroll · ‎12-21-2010

Hello,

I have a crypto map applied with an acl of

permit ip 192.168.200.0 0.0.0.255 192.168.13.0 0.0.0.255

deny ip any any

For some reason when i send the ping:

ping 192.168.13.250 so 192.168.200.1 the packets aren't hitting the permit portion of the acl.

It see the pings i'm sending hitting the

deny ip 192.168.200.0 0.0.0.255 192.168.13.0 0.0.0.255 which is for Not natting.

I have 15 other vpn peers working just fine. This one just seems to be buggy.

Anyone seen anything like this before?

danny.carroll · ‎12-21-2010

let me rephrase that. The packets aren't being nated as i see it hitting the proper acl deny section.

Jennifer Halim · ‎12-21-2010

Could there be overlapping ACL with other peers?

I would suggest that you check the output of "show cry ipsec sa" instead of relying on the ACL hitcount.

danny.carroll · ‎12-21-2010

because the acl isn't being hit there isn't any ipsec sa info since the vpn isn't up.

I'll look at it with some fresh eyes tommorrow.

danny.carroll · ‎12-22-2010

yes jennifer you were correct. I had that in an acl in another part of a crypto map. I removed it and got it working.

Thanks again.

Dan

Jennifer Halim · ‎12-22-2010

Great to hear, Dan. Thanks for your update.

Please kindly mark the post as answered if all is good. Thank you.