05-21-2012 12:32 AM
hi, i want to create vpn tunnel for specfic host not full range
ex) network range 10.1.1.0/24
Host 1 : 10.1.1.1
Host 2: 10.1.1.2
Host 3 : 10.1.1.3
Host 4: 10.1.1.4
so i created ACL with each host as source and destination x.y.z.w
now when i type show crypto ipsec sa
it shows the full subnet 10.1.1.0 and not the host ??????
thankssss
05-21-2012 04:17 AM
Are you trying to create lan-to-lan vpn tunnel or vpn client?
Also can you please share your current configuration.
05-21-2012 09:02 PM
Hi Jennifer,
It is site to site vpn, where specfic host are allowed to to access vpn tunnel.
for config. it is same for any vpn site to site, except
from R1
access-list xyz permit ip host 10.1.1.1 172.16.0.0 0.0.255.255
access-list xyz permit ip host 10.1.1.2 172.16.0.0 0.0.255.255
access-list xyz permit ip host 10.1.1.3 172.16.0.0 0.0.255.255
access-list xyz permit ip host 10.1.1.4 172.16.0.0 0.0.255.255
from R2
access-list xyz permit 172.16.0.0 0.0.255.255 host 10.1.1.1
access-list xyz permit 172.16.0.0 0.0.255.255 host 10.1.1.2
access-list xyz permit 172.16.0.0 0.0.255.255 host 10.1.1.3
access-list xyz permit 172.16.0.0 0.0.255.255 host 10.1.1.4
thankssssssssss
05-22-2012 04:16 AM
If your crypto access-list "xyz" is host, the output of "show cryp ipsec sa" should also show host instead of subnet.
Did you use to have subnet and you have just recently change it to host? If you did, can you please clear the ipsec tunnel so it re-established a new SA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide