12-21-2010 05:25 PM - edited 02-21-2020 05:03 PM
Hello,
I have a crypto map applied with an acl of
permit ip 192.168.200.0 0.0.0.255 192.168.13.0 0.0.0.255
deny ip any any
For some reason when i send the ping:
ping 192.168.13.250 so 192.168.200.1 the packets aren't hitting the permit portion of the acl.
It see the pings i'm sending hitting the
deny ip 192.168.200.0 0.0.0.255 192.168.13.0 0.0.0.255 which is for Not natting.
I have 15 other vpn peers working just fine. This one just seems to be buggy.
Anyone seen anything like this before?
12-21-2010 05:27 PM
let me rephrase that. The packets aren't being nated as i see it hitting the proper acl deny section.
12-21-2010 05:27 PM
Could there be overlapping ACL with other peers?
I would suggest that you check the output of "show cry ipsec sa" instead of relying on the ACL hitcount.
12-21-2010 06:16 PM
because the acl isn't being hit there isn't any ipsec sa info since the vpn isn't up.
I'll look at it with some fresh eyes tommorrow.
12-22-2010 09:39 AM
yes jennifer you were correct. I had that in an acl in another part of a crypto map. I removed it and got it working.
Thanks again.
Dan
12-22-2010 02:21 PM
Great to hear, Dan. Thanks for your update.
Please kindly mark the post as answered if all is good. Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide