I would do your more specific ACL entry and make sure your inverted mask is correct such as 192.1.1.0 0.0.0.255. Once you do that then issue the following commands to reset the tunnel and force a renegotiation.
Clear crypto ipsec sa clear crypto isakmp sa That should do it... -----Original Message----- From: ian williams [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 8:33 AM To: [EMAIL PROTECTED] Subject: crypto maps and IPSEC tunnels [7:71341] Hi I have just setup a IPSEC tunnel between to routers and tunneling a source address of 192.168.50.1 going to a host on router B 172.x.x.x./24 Everything works with the current configs given below. But I want to change the acl 101 on router B from using a class A mask to something like a class C mask or even a host address. I have changed the ACL 101 and even added a deny ip any any log to the end to see what is being dropped. The VPN tunnel doesnt come up unless I use a class A mask like showen below. I know this is an ACL but is being used for matching traffic, do they work differently and dont support host address ?? Thanks Ian Here is the config of router A ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share crypto isakmp key cisco address 10.10.10.10 ! ! crypto ipsec transform-set TEST esp-3des ! crypto map cisco 1 ipsec-isakmp set peer 10.10.10.10 set transform-set TEST match address 101 access-list 101 permit ip 192.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 access-list 101 permit ip 192.0.0.0 0.255.255.255 172.0.0.0 0.255.255.255 Here is the config router B crypto isakmp policy 10 encr 3des hash md5 authentication pre-share crypto isakmp key password address 10.10.10.20 ! ! crypto ipsec transform-set TEST esp-3des ! crypto map cisco 1 ipsec-isakmp set peer 10.10.10.20 set transform-set TEST match address 101 access-list 101 permit ip 172.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255 access-list 101 permit ip host 10.10.10.10 host 10.10.10.20 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71352&t=71341 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
