denver218
asked on
Site-to-Site VPN between a Cisco 2821 Router and a Cisco VPN Concentrator 3060
I have a site-to-site VPN between a Cisco 2821 Router and a Cisco VPN Concentrator 3060. The VPN is currently up and working, but I need to modify the access-list for the VPN, and when I do the VPN goes down. I am modifying the access-list for the VPN to get rid of a network that doesn't exist anymore. Below is the relevant information for the Cisco 2821 side:
Cisco 2821
crypto map cti_office_map 1 ipsec-isakmp
description Main_Office
set peer x.x.x.135
set transform-set to_cti
match address 110
access-list 110 permit ip 10.2.0.0 0.0.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.3.0.0 0.0.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 192.0.0.0 0.255.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.0.16.0 0.0.15.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.1.0.0 0.0.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.4.0.0 0.0.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.5.0.0 0.0.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.6.0.0 0.0.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.6.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.5.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.4.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.1.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.3.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.0.16.0 0.0.15.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.2.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.2.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.0.16.0 0.0.15.255 172.31.252.0 0.0.3.255
access-list 110 permit ip 10.1.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 110 permit ip 10.2.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 110 permit ip 10.3.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 110 permit ip 10.4.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 110 permit ip 10.5.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 110 permit ip 10.6.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 110 permit ip 192.0.0.0 0.255.255.255 172.31.252.0 0.0.3.255
I'm want to remove the following lines from the access-list:
access-list 110 permit ip 10.4.0.0 0.0.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.4.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.4.0.0 0.0.255.255 172.31.252.0 0.0.3.255
The 10.4.0.0/16 network does not exist anymore that's why I want to remove it. When I remove these 3 lines the VPN goes down. I'm not sure why:
On the concentrator 3060 side of things I removed the 10.4.0.0/16 network just fine and the VPN stayed up. Any ideas on what to do on the Cisco 2821 side? Thanks.
Cisco 2821
crypto map cti_office_map 1 ipsec-isakmp
description Main_Office
set peer x.x.x.135
set transform-set to_cti
match address 110
access-list 110 permit ip 10.2.0.0 0.0.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.3.0.0 0.0.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 192.0.0.0 0.255.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.0.16.0 0.0.15.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.1.0.0 0.0.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.4.0.0 0.0.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.5.0.0 0.0.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.6.0.0 0.0.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.6.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.5.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.4.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.1.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.3.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.0.16.0 0.0.15.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.2.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.2.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.0.16.0 0.0.15.255 172.31.252.0 0.0.3.255
access-list 110 permit ip 10.1.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 110 permit ip 10.2.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 110 permit ip 10.3.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 110 permit ip 10.4.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 110 permit ip 10.5.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 110 permit ip 10.6.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 110 permit ip 192.0.0.0 0.255.255.255 172.31.252.0 0.0.3.255
I'm want to remove the following lines from the access-list:
access-list 110 permit ip 10.4.0.0 0.0.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.4.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.4.0.0 0.0.255.255 172.31.252.0 0.0.3.255
The 10.4.0.0/16 network does not exist anymore that's why I want to remove it. When I remove these 3 lines the VPN goes down. I'm not sure why:
On the concentrator 3060 side of things I removed the 10.4.0.0/16 network just fine and the VPN stayed up. Any ideas on what to do on the Cisco 2821 side? Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
can i ask where how and where you issued the constant ping? I'm guessing that the constant ping is coming from the 10.4.0.0 subnet. just want to make sure that you are issuing the ping from the other subnets (like 10.5.0.0) and that clients on the 10.5.0.0 subnets are able to establish VPN connections.
also, take note that crypto ACL should be mirror image on both sides. For routers the ACL should be mirror of each other (in a sense looking the same but coming from and pointing on the other direction).
also, take note that crypto ACL should be mirror image on both sides. For routers the ACL should be mirror of each other (in a sense looking the same but coming from and pointing on the other direction).
ASKER
All is working now. After I removed those lines in the ACL, I rebooted the router and all was well. All VPN's came back up
ASKER