Right, after clearing udp connections on ASA the tunnel fails. In earlier attempts I was clearing the crypto SA's on end routers but forgot to clear udp conn on ASA itself.
Thankyou all. Asif On Sat, Jan 30, 2010 at 7:41 PM, Piotr Matusiak <[email protected]> wrote: > Hi, > > This should work fine IMO. Perhaps you have established ISAKMP SA before > applying ACL on the ASA? > > HTH, > -- > Piotr Matusiak > CCIE #19860 (R&S, Security) > > > > 2010/1/30 Asif Khan <[email protected]> > >> Hello group, >> >> >> Topology: *R1 <-> ASA <-> R2* >> Traffic between R1 lo0(1.1.1.1) and R2 lo0(2.2.2.2) protected by l2l >> IPSec. >> >> I am using the following ACL on both inside and outside interfaces of ASA: >> >> *access-list VPN extended deny udp any any log* >> access-list VPN extended permit esp any any >> access-group VPN in interface outside >> access-group VPN in interface inside >> * >> *but I am able to bring up the tunnel from both inside and outside ... >> >> *Shouldn't blocking udp500/4500 block the tunnel construction?* >> >> Thanks in Advance, >> - Asif >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
