Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
477
Views
0
Helpful
0
Replies

Problem using access-lists in dynamic crypto maps to filter traffic

babanonyme
Level 1
Level 1

‎04-06-2011 08:59 AM

Hi all, I try to validate the use of set ip access-group in my crypto map, but I might be missing something here, as it's not working.


consider a simple network:

R2[F1/0]<===>10.0.0.0/24<===>[F1/1]R1[F1/0]<===>192.168.50.0/24<===>VPNCLIENT

Router running :

7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.0(1)M, RELEASE SOFTWARE (fc2)

Common config:

!
hostname R1
!
aaa new-model
!
aaa authentication login VPN local
aaa authorization network VPN local
!
username cisco password 0 cisco
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group cisco
key cisco
pool VPNPOOL
acl VPNST
netmask 255.255.255.0
!
!
crypto ipsec transform-set TS1 esp-aes esp-sha-hmac
!
crypto ipsec profile pf1
set transform-set TS1
!

!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
!
interface Loopback2
ip address 1.1.1.2 255.255.255.255
!
!
interface FastEthernet1/0
ip address 192.168.50.1 255.255.255.0
duplex auto
speed auto
!
!
interface FastEthernet1/1
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
!
router ospf 1
log-adjacency-changes
redistribute static metric 100 subnets
network 10.0.0.0 0.0.0.255 area 0
!
ip local pool VPNPOOL 192.168.12.1 192.168.12.10
!
ip access-list extended VPNFILTER
permit ip any host 1.1.1.1
deny   ip any any log
ip access-list extended VPNST
permit ip 1.1.1.0 0.0.0.255 any
permit ip 10.0.0.0 0.0.0.255 any
!

If I use crypto maps like this:


!
crypto dynamic-map DM 10
set ip access-group VPNFILTER in
set transform-set TS1
reverse-route
!
!
crypto map CMAP client authentication list VPN
crypto map CMAP isakmp authorization list VPN
crypto map CMAP client configuration address respond
crypto map CMAP 10 ipsec-isakmp dynamic DM
!

interface FastEthernet1/0

crypto map CMAP

!

I can connect, and I can successfully ping all loopbacks addresses, and all devices behind my VPN router (in this case I ping R2, 10.0.0.2)

It's like the ACL is not applied. I even used a deny ip any any ACL and same result.

I managed to get this working using DVTI interfaces, but I'd like to know why it's not working with crypto maps.


FYI, configs w/ DVTI


!

interface FastEthernet1/0

no crypto map CMAP

!

crypto isakmp profile cisco
   match identity group cisco
   client authentication list VPN
   isakmp authorization list VPN
   client configuration address respond
   virtual-template 1
!
!

!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet1/0
ip access-group VPNFILTER in
tunnel source FastEthernet1/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile pf1
!
!

Any help would be much appreciated

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents