[c-nsp] debugging and tracing on IP-Sec tunnel
Arne Larsen / Region Nordjylland
arla at rn.dk
Fri Aug 1 01:32:33 EDT 2008
Hi Folks
I need some advise regarding trace and debug on a tunnel with IPSec.
We are using a provider to some kind off health service, these servers can be reached via a tunnel interface in our network and vise versa.
My problem is that one server is out off reach on http traffic but not on ssh.
If I deploy an access-list on the tunnel interface, I can see that the http-traffic is being forwarded via the tunnel interface.
So how can I be sure that the IP-Sec interface also is forwarding the http traffic and not just ssh.
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
lifetime 43200
crypto isakmp key Klipklapklop4433saksen address xxxxxxxxx
!
crypto ipsec security-association lifetime seconds 43200
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto map MEDMAP 2 ipsec-isakmp
description nja -> medcom
set peer xxxxxxxxxxx
set transform-set strong
match address krypt-medcom
interface Tunnel1
description GRE interface
ip address xxx.xxx.xxx.xxx 255.255.255.252
ip mtu 1300
ip nat outside
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination xxx.xxx.xxx.xxx
!
interface FastEthernet0/0
description Outside - Internetrouter
ip address xxx.xxx.xxx.xxx 255.255.255.128
speed 100
full-duplex
crypto map MEDMAP
More information about the cisco-nsp
mailing list