Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
450
Views
0
Helpful
1
Replies

No matches on access-list

tarun.pahuja
Level 1
Level 1

‎08-13-2004 01:55 PM

Folks,

We are using a VPN encryption module for comprssion only, for some reason when i do "show access-list 101" it shows me that their are no matches to the first statement and the second statement has all the matches, this is not good for us as we do not want our voice traffic to be encrypted and that is why we excluded it from the rest of the traffic using the 1st statement on the access-list, but it is not matching. I am 100% sure that the networks are correct but no matches.

> Current configuration : 3037 bytes

> !

> ! Last configuration change at 10:37:28 UTC Tue Aug 10 2004

> ! NVRAM config last updated at 22:35:31 UTC Tue Aug 10 2004

> !

> version 12.2

> service timestamps debug datetime msec

> service timestamps log datetime msec

> no service password-encryption

> !

> hostname Restat7204

> !

> boot system flash c7200-ik9s-mz.122-13.T1.bin

> logging buffered informational

> no logging console

> no logging monitor

> enable secret xxxx

> enable password xxxx

> !

> ip subnet-zero

> ip cef

> !

> !

> !

> !

> xsm

> xsm vdm

> xsm edm

> !

> class-map match-all voice-signaling

> match ip dscp af42

> class-map match-all voice-traffic

> match ip dscp ef

> !

> !

> policy-map VOICE

> class voice-traffic

> priority percent 10

> class voice-signaling

> bandwidth 1000

> class class-default

> fair-queue

> !

> !

> crypto isakmp policy 99

> encr 3des

> hash md5

> authentication pre-share

> group 2

> crypto isakmp key test address 192.168.1.13

> !

> !

> crypto ipsec transform-set compression-test-set esp-null esp-sha-hmac

> comp-lzs

> !

> crypto map compression-map 10 ipsec-isakmp

> set peer 192.168.1.13

> set transform-set compression-test-set

> match address 101

> !

> !

> !

> !

> !

> !

> !

> !

> !

> !

> !

> !

> !

> controller ISA 2/1

> !

> !

> !

> !

> interface FastEthernet0/0

> ip address 198.204.79.254 255.255.255.0 secondary

> ip address 10.30.0.10 255.255.0.0

> duplex full

> speed 100

> bridge-group 1

> bridge-group 1 spanning-disabled

> !

> interface FastEthernet0/1

> no ip address

> shutdown

> duplex auto

> speed auto

> !

> interface Hssi1/0

> description connection to Mccormick

> bandwidth 45000

> ip address 192.168.1.14 255.255.255.252

> service-policy output VOICE

> serial restart_delay 0

> crypto map compression-map

> bridge-group 1

> bridge-group 1 spanning-disabled

> !

> ip classless

> ip route 0.0.0.0 0.0.0.0 198.204.79.252

> ip route 10.10.0.0 255.255.0.0 192.168.1.13

> ip route 10.11.0.0 255.255.0.0 192.168.1.13

> ip route 10.20.0.0 255.255.0.0 192.168.1.13

> ip route 10.21.0.0 255.255.0.0 192.168.1.13

> ip route 10.25.0.0 255.255.0.0 192.168.1.13

> ip route 10.31.0.0 255.255.0.0 10.30.0.24

> ip route 10.40.0.0 255.255.0.0 192.168.1.13

> ip route 10.70.0.0 255.255.0.0 192.168.1.13

> ip route 10.81.0.0 255.255.0.0 192.168.1.13

> ip route 10.90.0.0 255.255.0.0 192.168.1.13

> ip route 10.91.0.0 255.255.0.0 192.168.1.13

> ip route 10.100.0.0 255.255.0.0 192.168.1.13

> ip route 10.101.0.0 255.255.0.0 192.168.1.13

> ip route 192.168.30.0 255.255.255.0 198.204.79.252

> ip route 192.168.201.0 255.255.255.0 192.168.1.13

> ip route 192.168.215.0 255.255.255.0 192.168.1.13

> ip route 204.27.238.0 255.255.255.0 192.168.1.13

> ip route 204.27.248.0 255.255.255.0 192.168.1.13

> no ip http server

> !

> !

> no logging trap

> access-list 101 deny ip 10.31.0.0 0.0.255.255 any

> access-list 101 permit ip any any

> dialer-list 1 protocol ip permit

> dialer-list 1 protocol ipx permit

> !

> snmp-server community public RO

> snmp-server community private RW

> snmp-server enable traps tty

> !

> call rsvp-sync

> !

> !

> mgcp profile default

> !

>

Labels:
0 Helpful
1 Reply 1

patrick.cannon
Level 1
Level 1

‎08-16-2004 05:35 AM

Why would you configure your vpn access-list to include any traffic that you didn't want to go to the other end? Just don't include that subnet at all and it wouldn't be defined as interesting and therefore not encrypted.

Does voice traffic travel the the same site at the other end of your vpn through the same network device?

trap some of the traffic that is being permitted through the tunnel on the second entry of Access-List 101. Verify if it is or is not voice traffic.

0 Helpful
Customers Also Viewed These Support Documents