Re: asa 5505 vpn ipsec l2l problem

["Paul Melson" <pmelson () gmail com>]

> and when i'm applying acl in crypto map
> crypto map abcMap 1 match address acl
> i'm getting this log:
> Ignoring msg to mark SA with specified coordinates <abcMap, 1> dead
>
> i don't have any debug messages (debug crypto ipsec 100) google it but
haven't found 
> any answer.
>
> thank you for your answers!
>
> acl
> access-list acl extended permit tcp host 192.168.11.11 host 10.1.100.13 eq
4000 
> access-list acl extended permit tcp host 192.168.11.11 host 10.1.110.250
eq 4000 
> access-list acl extended permit tcp host 192.168.11.11 eq ftp host
10.1.100.105 eq ftp
> access-list acl extended permit tcp host 192.168.11.11 host 10.1.100.105
eq ftp-data 
> access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.13 eq
4000 
> access-list acl extended permit tcp host 192.168.11.12 host 10.1.110.250
eq 4000 
> access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.105
eq ftp 
> access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.105
eq ftp-data 


You can only use 'permit ip' in an access-list used for crypto map match,
and your access-list is set to use tcp.  

If you need to filter VPN traffic down to the port and protocol level, use
the access-list applied to the outside interface, not the access-list
applied to the VPN tunnel's crypto map.

PaulM


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards