Differences

This shows you the differences between two versions of the page.

--- cisco:books:ccnp_300-730:ch3:001 [2025/08/31 17:17] – Name
+++ cisco:books:ccnp_300-730:ch3:001 [2025/08/31 17:54] (current) – Name
@@ Line 491: / Line 491: @@
  permit ip host 12.1.1.1 host 12.1.1.2<code>
   * At first glance, it seems the ACL is correct, but the permit line is subtly backwards. Flip the hosts around and test again.
-<code></code>
+  * The next step is for demonstration purposes to show what happens when the access-list in-use is attempted to be edited.
+<code>2-spoke#conf t
+Enter configuration commands, one per line.  End with CNTL/Z.
+r2-spoke(config)#ip access-list extended castle-acl
+r2-spoke(config-ext-nacl)#no  10 permit ip host 12.1.1.1 host 12.1.1.2
+%ACL castle-acl can not be modified/deleted, as it is used in crypto-map svpn-map
+%Please first remove the ACL from crypto map or remove the crypto map from the interface</code>
+  * This is the correct procedure to migrate the ACL entry to the end.
+<code>r2-spoke#conf t
+Enter configuration commands, one per line.  End with CNTL/Z.
+r2-spoke(config)#int g1
+r2-spoke(config-if)#no crypto map
+r2-spoke(config-if)#
+*Aug 31 17:23:37.223: (ipsec_license_release) IPSEC License handle release failed (55)
+r2-spoke(config-if)#
+*Aug 31 17:23:37.323: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
+r2-spoke(config-if)#ip access-list extended castle-acl
+r2-spoke(config-ext-nacl)#no  10 permit ip host 12.1.1.1 host 12.1.1.2
+r2-spoke(config-ext-nacl)#10 permit ip host 12.1.1.2 host 12.1.1.1</code>
+  * Verify the ACL is correct.
+<code>r2-spoke(config-if)#do show run | s access-list extended castle-acl
+ip access-list extended castle-acl
+permit ip host 12.1.1.2 host 12.1.1.1</code>
+  * The ACL is now correct. Next, add the crypto map back on the interface.
+<code>r2-spoke(config-ext-nacl)#int g1
+r2-spoke(config-if)# crypto map svpn-map</code>
+  * Turn debugging off on the hub and spoke.
+<code>r1-hub#u all
+All possible debugging has been turned off</code>
+<code>r2-spoke#u all
+All possible debugging has been turned off</code>
+  * Test with a ping again from either the hub or spoke.
+<code>r1-hub#ping 12.1.1.2
+Type escape sequence to abort.
+Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:
+!!!!!
+Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms</code>
+<code>r2-spoke#ping 12.1.1.1
+Type escape sequence to abort.
+Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds:
+!!!!!
+Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms</code>
+  * Success. Verify the crypto sa.
+<code>r1-hub#show crypto ikev2 sa
+ IPv4 Crypto IKEv2  SA
+Tunnel-id Local                 Remote                fvrf/ivrf            Status
+         12.1.1.1/500          12.1.1.2/500          none/none            READY
+      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
+      Life/Active Time: 86400/276 sec</code>
+<code>r2-spoke#show crypto ikev2 sa
+ IPv4 Crypto IKEv2  SA
+Tunnel-id Local                 Remote                fvrf/ivrf            Status
+         12.1.1.2/500          12.1.1.1/500          none/none            READY
+      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
+      Life/Active Time: 86400/313 sec</code>
+  * One last check with Wireshark while pinging.
+{{ :cisco:books:ccnp_300-730:ch3:001:Lab-001-IKEv2-Capture2.png?900 |Lab-001-IKEv2-Capture2}}\\
-  * Packet Capture on r1-hub e0/0 interface.
-{{ :cisco:books:ccnp_300-730:ch3:000:Lab-000-IKEv2-Overview.png?800 |Lab-001-Overview}}\\

Tim's Technology Gauntlet Wiki

User Tools

Site Tools

Differences

Page Tools