that was the wrong one Iput here, the actual one that is configured is
access-list 101 permit ip host 7.7.53.3 host 192.168.6.1 On Tue, Nov 5, 2013 at 2:06 AM, Piotr Kaluzny <[email protected]> wrote: > Jeremy > > You have enabled VPN on Loopback0 (7.7.53.3) but you say that your trigger > ACL is sourced off 33.33.33.33. So what is the traffic you are trying to > protect here? > > Regards, > -- > Piotr Kaluzny > CCIE #25665 (Security), CCSP, CCNP > Sr. Technical Instructor - IPexpert, Inc. > URL: http://www.IPexpert.com > > ***Want to win a free iPad mini? Just follow us on > Twitter<http://www.twitter.com/ipexpert>or "Like" our > Facebook <http://www.facebook.com/ipexpert> page and be entered into a > weekly drawing! > <http://www.IPexpert.com> > > > On Tue, Nov 5, 2013 at 6:27 AM, jeremy co <[email protected]> wrote: > >> >> >> >> *7.7.53.3----R3-----R6----- 192.168.6.1* >> *R6 is the server and R3 is the client.* >> >> >> Manual mode work. so config is good.but if I try the following it fails >> and Im not sure if this how it should.be >> >> *Desire beahvior:* If I ping from Lo on R3 to 92.168.6.1, it trigger >> the tunnel only when it sees this traffic, tunnel shoud not be active >> anyother time. >> >> But it doesnt work as above, im not sure pinging from loopback can >> trigger the ACl at all or not ???? or it needs to eb triggered from a >> device behind R3? >> >> *Scenario 1:* Connect ACL 101 >> >> access-list 101 permit ip host 33.33.33.33 host 192.168.6.1 >> >> If I try to ping from loo0 to 192.168.6.1 this doesnt start the >> traffic.(even if I add route to 192.168.6.1 to fa0/1 on R3 still isakmp >> wouldnt be triggered) >> >> *Scenario 2:* Conenct acl 101 + I connect manually. >> >> If I connect manually (crypto ipsec client ezvpn) , then I can ping >> 192.168.6.1 with out having a static route. >> >> the problem is it doesnt care if I source it from R3 L0 or not, ipsec >> counter increment, so it doesnt really honor the ACL.. >> >> >> >> *R3:* >> R3# sh run | s crypto|interface >> >> crypto ipsec client ezvpn EASY >> connect acl 101 >> group ezvpn_DVTI key cisco123 >> mode client >> peer 7.7.19.6 >> virtual-interface 1 >> username cisco password cisco >> xauth userid mode local >> >> interface Loopback0 >> ip address 7.7.53.3 255.255.255.255 >> crypto ipsec client ezvpn EASY inside >> >> interface FastEthernet0/1 >> ip address 7.7.19.3 255.255.255.0 >> speed 100 >> full-duplex >> crypto ipsec client ezvpn EASY >> >> interface Virtual-Template1 type tunnel >> no ip address >> tunnel mode ipsec ipv4 >> >> >> >> *---------------------------------------------------------------------------------------------------------- >> * >> *R6:* >> >> R6#sh run | s crypto|pool|aaa|Virtual >> aaa new-model >> aaa authentication login ikev1-list local >> aaa authorization network ikev1-list local >> aaa session-id common >> ip dhcp pool pool19 >> network 7.7.19.0 255.255.255.0 >> lease infinite >> crypto isakmp policy 1 >> encr 3des >> hash md5 >> authentication pre-share >> group 2 >> crypto isakmp client configuration address-pool local pool2 >> crypto isakmp client configuration group ezvpn_DVTI >> key cisco123 >> pool pool2 >> crypto isakmp profile isakmp_profile_dvti >> match identity group ezvpn_DVTI >> client authentication list ikev1-list >> isakmp authorization list ikev1-list >> client configuration address respond >> client configuration group ezvpn_DVTI >> virtual-template 2 >> local-address FastEthernet0/1 >> crypto ipsec transform-set cisco esp-3des esp-md5-hmac >> crypto ipsec profile ikev1 >> set transform-set cisco >> set isakmp-profile isakmp_profile_dvti >> interface Virtual-Template1 >> no ip address >> ! >> interface Virtual-Template2 type tunnel >> ip unnumbered FastEthernet0/1 >> tunnel mode ipsec ipv4 >> tunnel protection ipsec profile ikev1 >> ! >> ip local pool pool2 13.1.1.1 13.1.1.10 >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
