Can I enter crypto map command on an ethernet interface(LAN)

Similar Messages

• Commands that can be entered in the 'Command Field'

  Hello All,
  Does anyone know all commands that can be entered in the 'Command Field'.
  I am interested in the commands that start with &. For example &sapedit, &vexcel, &vgrid; etc. (OR commands such as PRFB; etc.)
  Just curious, where all these commands are stored?
  Thanks
  Naved

  Hi Nablan,
  I tried your suggestion. I noticed that it lists some commands but not all.
  Foe example, if I am in CMOD tcode; I clicked on GUI Status but nowhere I saw Command 'PRFB'.
  According to a post in SDN, in CMOD tcode; by entering PRFB in the command field a list of all field exits are displayed.
  Similary, in SE16n; there are field commands like &sapedit, &vexcel and &vgrid...
  Please shed light on this,
  Thanks

• Help with IPSEC? Can you apply crypto map to SVI?

  Hi All,
  Got a problem with a site-to-site IPSEC vpn implementation where one end is using SVI (eg: interface vlan 10).
  Does any body know if a crypto map can be applied to a SVI to bring up the IPSEC tunnel? It accepts the command but I can't pass any traffic to/from it.
  interface vlan 10
  crypto map MY-MAP
  Or do you need to apply the crypto map to a physical interface?
  I've gotten it working on a sub-interface (eg: interface GigabitEthernet0/0.11) but can't find any documentation that talks about applying it to a SVI and whether this will work. Anybody tried it using SVI's before?
  This is to be done on a Cisco 7606 (sup720).
  Thanks.
  Andy

  Hi Jerry,
  I'm not that cluey with all the hardware on the box itself, but here's what we have on the box.
  core1#sh ver
  Cisco Internetwork Operating System Software
  IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(18)SXF16, RELEASE SOFTWARE (fc2)
  cisco CISCO7606 (R7000) processor (revision 1.0) with 983008K/65536K bytes of memory.
  Processor board ID FOX092502NB
  SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
  Last reset from power-on
  SuperLAT software (copyright 1990 by Meridian Technology Corp).
  X.25 software, Version 3.0.0.
  Bridging software.
  TN3270 Emulation software.
  228 Virtual Ethernet/IEEE 802.3 interfaces
  124 Gigabit Ethernet/IEEE 802.3 interfaces
  4 Ten Gigabit Ethernet/IEEE 802.3 interfaces
  1917K bytes of non-volatile configuration memory.
  8192K bytes of packet buffer memory.
  65536K bytes of Flash internal SIMM (Sector size 512K).
  Configuration register is 0x2102
  core1#sh mod
  Mod Ports Card Type Model
  1 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX
  2 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX
  3 24 CEF720 24 port 1000mb SFP WS-X6724-SFP
  4 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE
  5 2 Supervisor Engine 720 (Active) WS-SUP720-3B
  6 2 Supervisor Engine 720 (Hot) WS-SUP720-3B
  Mod Sub-Module Model Hw Status
  1 Centralized Forwarding Card WS-F6700-CFC 4.0 Ok
  2 Centralized Forwarding Card WS-F6700-CFC 2.1 Ok
  3 Centralized Forwarding Card WS-F6700-CFC 4.0 Ok
  4 Centralized Forwarding Card WS-F6700-CFC 4.1 Ok
  5 Policy Feature Card 3 WS-F6K-PFC3B 2.1 Ok
  5 MSFC3 Daughterboard WS-SUP720 2.3 Ok
  6 Policy Feature Card 3 WS-F6K-PFC3B 2.3 Ok
  6 MSFC3 Daughterboard WS-SUP720 3.0 Ok
  Based on the specs above, is this box capable of establishing a IPSEC tunnel by applying the crypto map to the SVI???
  Thanks.
  Andy

• Can I run multiple dial pools on an Ethernet interface on my 1721?

  I am attempting to configure a 1721 for a remote property that uses DSL with a DSL modem that will go into an ethernet WIC on a 1721. Since I don't know if the ISP uses chap or pap, i was wondering if I could run two dial pools on the ethernet0 interface, with one dialer set up for chap, and the other set up for pap, both with the same IP address. Here is the config I have so far:
  interface Ethernet0
  no ip address
  ip virtual-reassembly
  full-duplex
  pppoe enable
  pppoe-client dial-pool-number 2
  pppoe-client dial-pool-number 1
  no cdp enable
  interface FastEthernet0
  description local LAN
  ip address 10.*.*.* 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  speed auto
  full-duplex
  no cdp enable
  interface Dialer0
  no ip address
  shutdown
  interface Dialer1
  ip address *.*.*.169 255.255.255.248
  ip access-group 102 in
  ip mtu 1492
  ip inspect FIREWALL out
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  no ip route-cache cef
  no ip route-cache
  no ip mroute-cache
  dialer pool 1
  dialer-group 1
  ppp authentication chap callin
  ppp chap hostname ****@pacbell.net
  ppp chap password 7 ************************
  crypto map rdln_map
  interface Dialer2
  ip address *.*.*.169 255.255.255.248
  ip access-group 102 in
  ip mtu 1492
  ip inspect FIREWALL out
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  no ip route-cache cef
  no ip route-cache
  no ip mroute-cache
  dialer pool 2
  dialer-group 2
  ppp authentication pap callin
  ppp pap sent-username ****@pacbell.net password 7 ****************************
  crypto map rdln_map
  ip classless
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip route 0.0.0.0 0.0.0.0 Dialer2
  Will this even work? Or can I only have one dial pool on the ethernet0 interface? If I can have both, it would make things a little easier when I send it to the property.
  Any suggestions to tweak up what I have is appreciated... thanks!

  I think I figured this out... here is what I did:
  interface Ethernet0
  no ip address
  ip virtual-reassembly
  full-duplex
  pppoe enable
  pppoe-client dial-pool-number 2
  pppoe-client dial-pool-number 1
  no cdp enable
  interface FastEthernet0
  description local LAN
  ip address *.*.*.254 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  speed auto
  full-duplex
  no cdp enable
  interface Dialer0
  no ip address
  shutdown
  interface Dialer1
  ip address *.*.*.169 255.255.255.248
  ip access-group 102 in
  ip mtu 1492
  ip inspect FIREWALL out
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  no ip route-cache cef
  no ip route-cache
  no ip mroute-cache
  dialer pool 1
  dialer-group 1
  ppp authentication pap chap callin
  ppp chap hostname ****@pacbell.net
  ppp chap password 7 **********************
  ppp pap sent-username ****@pacbell.net password 7 *************************
  crypto map rdln_map
  interface Dialer2
  ip address *.*.*.169 255.255.255.248
  ip access-group 102 in
  ip mtu 1492
  ip inspect FIREWALL out
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  no ip route-cache cef
  no ip route-cache
  no ip mroute-cache
  shutdown
  dialer pool 2
  dialer-group 2
  ppp authentication pap callin
  ppp pap sent-username ****@pacbell.net password 7 ************************
  crypto map rdln_map
  ip classless
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip nat inside source route-map nonat interface Dialer1 overload
  Does this look right?
  BTW, does anyone know how to remove the second pppoe-client (pppoe-client dial-pool-number 2) statement from my ethernet0 interface? It doesn't seem to want to go away :)

• WARNING: This crypto map is incomplete

                  Hi ,
    i have ASA with 4 l2l vpn configured. as now am trying to configure new VPN tunnel; while configuring of crypto map set match add its giving me
  error like ... WARNING: This crypto map is incomplete
    as i have read all the discussion from forms its not effecting ; request you to please help
  Thanks
  Gajendra

  Hi,
  This is a normal message and just tells you that you have not yet entered all the "crypto map" commands related to this new connection to make the configuration complete
  You will essentially have to make sure that you have ATLEAST the following lines configured
  crypto map match address
  crypto map set peer
  crypto map set ikev1 transform-set
  The "transform-set" part might NOT need the "ikev1" depending on your ASAs software level.
  - Jouni

• "Crypto map" to inside/internal interface. Possible?

  Hi, I have a two routers on a point to point VPN where the "Crypto Map" statement is assigned to the external interface as normal. This works fine but I need each router to present a different IP address to that of the external interface.
  For example:
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  lifetime 3600
  crypto isakmp key privatekey address 4.4.4.4 no-xauth
  crypto ipsec transform-set 3des esp-3des esp-sha-hmac
  crypto map VPN 1 ipsec-isakmp
  set peer 4.4.4.4
  set transform-set 3des
  match address vpn
  interface FastEthernet0/0
  ip address 4.4.4.4 255.255.255.252
  ip nat outside
  ip virtual-reassembly
  speed 10
  full-duplex
  no cdp enable
  crypto map VPN
  interface FastEthernet0/1
  ip address 8.8.8.8 255.255.255.248
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  Instead of the "4.4.4.4" being presented to the other side of the VPN, I need the 8.8.8.8 to be presented. I've tried just changing the Crypto statements as below but it still presents the 4.4.4.4 probably due to the interface the Crypto map is applied
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  lifetime 3600
  crypto isakmp key privatekey address 8.8.8.8 no-xauth
  crypto ipsec transform-set 3des esp-3des esp-sha-hmac
  crypto map VPN 1 ipsec-isakmp
  set peer 8.8.8.8
  set transform-set 3des
  match address vpn
  How can I make sure that 8.8.8.8 is what's presented at the other end?
  Thanks
  Andy

  Hi Andy,
  I would suggest the following command:
  crypto map local-address
  http://tools.cisco.com/squish/9c85B
  To specify and name an identifying interface to be used by the crypto map for IPSec traffic, use the crypto map local-address command in global configuration mode. To remove this command from the configuration, use the no form of this command.
  crypto map map-name local-address interface-id
  no crypto map map-name local-address
  Example:
  interface loopback0
       ip address 4.2.2.2 255.255.255.252
  crypto map mymap local-address loopback0
  interface S0
        crypto map mymap
  Of course you need to make sure the remote end can reach this additional IP address.
  Let me know if you have any questions.
  Please rate any post that you find useful.

• Which interface does "crypto map vpn" get assigned to?

  I'm setting up a site to site vpn and have been reading some examples, but my 871 uses a vlan so it confuses me a bit. Do I assign the statement crypto map vpn to the vlan1 interface or fe4 which is my WAN side.

  Sander
  If we knew more about your environment we might be able to give better answers. In general the crypto map is assigned to the outbound layer 3 interface. But I can not tell from your description whether fe4 or VLAN 1 is the outbound layer 3 interface. Does fe4 have an IP configured on it? If so then perhaps it is the outbound layer 3 interface and gets the crypto map. Or perhaps VLAN 1 is the outbound layer 3 interface and gets the crypto map.
  If this helps you figure it out that is good. Otherwise perhaps you can provide some clarification of the environment.
  HTH
  Rick
  Sent from Cisco Technical Support iPhone App

• Crypto Map on Tunnel interface

  hi guys, when i trying to apply crypto map on tunnel interface , debug is (
  crypto map is configured on tunnel interface.  Currently only GDOI crypto map is supported on tunnel interface )
  why i can't apply simple crypto map on tunnel interface? anyone knows?
  thanks

  This was proven to break CEF in the past and is a bad design choice by default.
  Newer release do not allow you to configure this.
  If you're curious if it will work for you check releases prior to 15.x.
  M.

• PING is unavailable after CRYPTO MAP on interface

  Hi guys,
  I have problem with ping to public IP of my router (Cisco 2801) I checked all my ACLs but only when I remove crypto map from interface PING is going well. 
  interface FastEthernet0/0
   description ---LAN---$FW_INSIDE$
   ip address 192.168.28.31 255.255.255.0
   ip access-group 103 in
   ip nat inside
   ip virtual-reassembly
   duplex auto
   speed auto
   no mop enabled
  interface FastEthernet0/1
   description ---WAN---$FW_OUTSIDE$$ES_LAN$
   ip address 109.68.238.175 255.255.255.224
   ip access-group 104 in
   no ip proxy-arp
   ip nat outside
   ip virtual-reassembly
   duplex auto
   speed 10 
   crypto map MAIN
   and crypto map MAIN 
  crypto map MAIN 1 ipsec-isakmp 
   description a1
   set peer 180.94.84.177
   set peer 180.94.84.181
   set transform-set a1 
   match address a1
  crypto map MAIN 2 ipsec-isakmp 
   description a2 
   set peer 67.159.45.250
   set transform-set a2 
   match address a2
  and ACLs for this MAIN crypto 
  ip access-list extended a1
   remark CCP_ACL Category=4
   permit ip host 192.168.28.31 host 10.150.82.43
   permit ip host 192.168.28.30 host 10.150.82.43
   permit ip host 192.168.28.31 host 10.150.82.73
   permit ip host 192.168.28.30 host 10.150.82.73
   permit icmp any any
  ip access-list extended a2
   remark CCP_ACL Category=20
   permit ip host 192.168.28.31 host 67.159.51.2
   permit ip host 192.168.28.30 host 67.159.51.2
   permit ip host 192.168.28.31 host 67.159.51.14
   permit ip host 192.168.28.30 host 67.159.51.14
   permit ip host 192.168.28.31 host 67.159.51.10
   permit ip host 192.168.28.30 host 67.159.51.10
   permit icmp any any
  ACL for inbound in WAN interface
  access-list 104 remark CCP_ACL Category=17
  access-list 104 permit udp host 180.94.84.177 host 109.68.238.175 eq non500-isakmp
  access-list 104 permit udp host 180.94.84.177 host 109.68.238.175 eq isakmp
  access-list 104 permit esp host 180.94.84.177 host 109.68.238.175
  access-list 104 permit ahp host 180.94.84.177 host 109.68.238.175
  access-list 104 permit ip host 67.159.51.10 host 192.168.28.30
  access-list 104 permit ip host 67.159.51.10 host 192.168.28.31
  access-list 104 permit ip host 67.159.51.14 host 192.168.28.30
  access-list 104 permit ip host 67.159.51.14 host 192.168.28.31
  access-list 104 permit ip host 67.159.51.2 host 192.168.28.30
  access-list 104 permit ip host 67.159.51.2 host 192.168.28.31
  access-list 104 permit udp host 180.94.84.181 host 109.68.238.175 eq non500-isakmp
  access-list 104 permit udp host 180.94.84.181 host 109.68.238.175 eq isakmp
  access-list 104 permit esp host 180.94.84.181 host 109.68.238.175
  access-list 104 permit ahp host 180.94.84.181 host 109.68.238.175
  access-list 104 permit ip host 10.150.82.73 host 192.168.28.30
  access-list 104 permit ip host 10.150.82.73 host 192.168.28.31
  access-list 104 permit ip host 10.150.82.43 host 192.168.28.30
  access-list 104 permit ip host 10.150.82.43 host 192.168.28.31
  access-list 104 permit udp host 67.159.45.250 host 109.68.238.175 eq non500-isakmp
  access-list 104 permit udp host 67.159.45.250 host 109.68.238.175 eq isakmp
  access-list 104 permit esp host 67.159.45.250 host 109.68.238.175
  access-list 104 permit ahp host 67.159.45.250 host 109.68.238.175
  access-list 104 permit icmp any any
  access-list 104 permit esp any host 67.159.45.250
  access-list 104 permit udp any host 67.159.45.250 eq non500-isakmp
  access-list 104 permit udp any host 67.159.45.250 eq isakmp
  access-list 104 permit ahp any host 67.159.45.250
  Please show me where is problem in my configs, I try to change my config several time but problem still exist 

  Nik
  As far as I know the technically correct answer to your question is Yes you can configure a crypto map on the inside interface. But it leads to a question of why would you want to do that? The function of the crypto map is to provide IPSec protection services to traffic passing through that interface. Why would you want IPSec on traffic going through your inside interface?
  I am also puzzled by the partial config that you posted. Why do you have the internal "private" network and the Internet reachable network as primary and secondary on the same interface?
  HTH
  Rick

• Can we deploy a mapping through Command Prompt

  Can we deploy a mapping through Command Prompt. If so pls tell me how
  Thanks in Advance

  Hi,
  when deploying mappings from the coomand line or when i try to run some other script in OMBPlus i usually do the following:
  * Create a .bat file that will call your tcl script it will look something like this:
  rem @echo off
  cd <owb_install_dir>\owb\bin\win32\
  rem your script file
  call OMBplus "<path to your script>\scripts\DeployMapping.tcl"
  cd <path to your script>\scripts\
  * Create a .tcl file that will do the following:
  OMBCONNECT <user>/<passowrd>@<server name>:<port>:<Service Name>;
  OMBCC 'MY_PROJECT';
  #Deploy Mapping
  OMBCONNECT CONTROL_CENTER <control_center_username/control_center_password>@<server name>:<port>:<service name> USE REPOS '<design repository user>';
  set om "<sub_location>";
  OMBCC '$om';
  set m "Mapping Name";
  puts " Deploying Mapping: $m";
  puts "";
  OMBCREATE TRANSIENT DEPLOYMENT_ACTION_PLAN '$m' ADD ACTION 'MAPPING_DEPLOY' SET PROPERTIES (OPERATION) VALUES ('REPLACE') SET REFERENCE MAPPING '/MY_PROJECT/$om/$m';
  catch { OMBDEPLOY DEPLOYMENT_ACTION_PLAN '$m' } ex;
  puts " $ex";
  OMBDROP DEPLOYMENT_ACTION_PLAN '$m' ;
  OMBDISCONNECT CONTROL_CENTER;
  OMBCOMMIT;
  For more information refer to the OMBPlus reference documentation
  Hope this helps
  Regards,
  Ricardo Ferreira

• Crypto map mymap command I am not familiar with

  I have the following commands in a new pix I am taking over and I am not sure what they do?
  crypto map mymap client configuration address initiate
  crypto map mymap client configuration address respond
  any help would be appreciated

  Hi .. they are used for remote VPNs:
  1.- crypto map mymap client configuration address initiate
  explanation: Use the crypto map mymap for remote vpn clients and the PIX Firewall will attempt to set IP addresses for each client.
  2.- crypto map mymap client configuration address respond
  explanation: Use the crypto map mymap for remote vpn clients and the PIX Firewall will accept requests for IP addresses from any
  requesting client.
  I hope it helps .. please rate if it does !!

• [ERR]crypto map WARNING: This crypto map is incomplete

  i have PIX 501 ver6.3(5) when i setup VPN i get this error message
  WARNING:This crypto map is incomplete to remedy the situation add a peer and a valid access-list to this crypto map.
  although it seems fine in sh conf command
  but tunnel is not started
  when i review log i found
  sa_request,ISAKMP Phase 1 exchange started

  i could successfully establish VPN with another FW cisco 501 6.3
  but still can't fix my dilemma which i connect to Huawei Eudemon 500‎
  sh isakmp
  PIX Version 6.3(5)‎
  interface ethernet0 10full
  interface ethernet1 100full
  nameif ethernet0 outside security0‎
  nameif ethernet1 inside security100 ‎
  access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP1‎
  access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP2‎
  access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP1‎
  access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP2 ‎
  global (outside) 1 interface‎
  nat (inside) 0 access-list inside_outbound_nat0_acl
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ‎
  crypto ipsec security-association lifetime seconds 3600‎
  crypto map outside_map 100 ipsec-isakmp
  crypto map outside_map 100 match address outside_cryptomap_100‎
  crypto map outside_map 100 set peer remote peer
  crypto map outside_map 100 set transform-set ESP-3DES-SHA
  crypto map outside_map 100 set security-association lifetime seconds 3600 kilobytes 1843200‎
  crypto map outside_map interface outside
  isakmp enable outside
  ‎ ‎
  isakmp key ******** address remote peer netmask 255.255.255.255 no-xauth no-config-mode ‎
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption 3des
  isakmp policy 20 hash sha‎
  isakmp policy 20 group 2‎
  isakmp policy 20 lifetime 86400‎
  sh crypto map
  Crypto Map: "outside_map" interfaces: { outside }‎
  Crypto Map "outside_map" 100 ipsec-isakmp
  Peer = remote peer
  access-list outside_cryptomap_100; 2 elements‎
  access-list outside_cryptomap_100 line 1 permit ip host 10.102.0.11 host remote internal IP1 ‎‎(hitcnt=14) ‎
  access-list outside_cryptomap_100 line 2 permit ip host 10.102.0.11 host remote internal IP2 ‎‎(hitcnt=6) ‎
  Current peer: remote peer
  Security association lifetime: 1843200 kilobytes/3600 seconds‎
  PFS (Y/N): N
  Transform sets={ ESP-3DES-SHA, }‎
  Crypto Map: "set" interfaces: { }‎

• Crypto map question

  Hi
  If I have 2 crypto maps defined on my pix 506E. Traffic of my first crypto map goes for tunnel 1 & traffic of my second interface goes for tunnel2.
  I can't apply the command crypto map CCS interface outside & crypto map PLC interface outside.
  I am able to apply only one.
  How can I do to use both crypto maps?
  crypto ipsec transform-set my_PLC esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 86400
  crypto map PLC 30 ipsec-isakmp
  crypto map PLC 30 match address PLC
  crypto map PLC 30 set peer 10.10.10.1
  crypto map PLC 30 set transform-set my_PLC
  crypto map PLC interface outside
  isakmp key ******* address 10.10.10.1 netmask 255.255.255.255
  isakmp identity address
  isakmp policy 30 authentication pre-share
  isakmp policy 30 encryption 3des
  isakmp policy 30 hash md5
  isakmp policy 30 group 2
  isakmp policy 30 lifetime 86400
  crypto ipsec transform-set my_ccs esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 86400
  crypto map CCS 20 ipsec-isakmp
  crypto map CCS 20 match address CCS
  crypto map CCS 20 set peer 20.20.20.1
  crypto map CCS 20 set transform-set my_ccs
  crypto map CCS interface outside
  isakmp key ****** address 20.20.20.1 netmask 255.255.255.255
  isakmp identity address
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption 3des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400

  Hi
  You can only have one crypto map per interface but you can have separate entries within the same crypto map eg.
  crypto map CCS 20 ipsec-isakmp
  crypto map CCS 20 match address CCS
  crypto map CCS 20 set peer 20.20.20.1
  crypto map CCS 20 set transform-set my_ccs
  crypto map CCS 30 ipsec-isakmp
  crypto map CCS 30 match address PLC
  crypto map CCS 30 set peer 10.10.10.1
  crypto map CCS 30 set transform-set my_PLC
  crypto map CCS interface outside
  HTH
  Jon

• One crypto map, different tunnel source addresses (secondary)

  Hi,
  I have two devices with two different (public) IP addresses (Cisco 2811 and Cisco 851), which both host some IPSec tunnels (IPSec/ESP/Tunnel mode). I want to move the 851's configuration to the 2811, and remove the 851 from the network. There is a crypto map assigned to the main outside interface of the 2811 with a few entries. The problem is that I cannot change any of the tunnel TEPs, so the IP address of the 851 must be moved onto the 2811 (as a secondary address). Is there anything I can do to use the secondary address as an IPSec tunnel source? Or do I have to do it using NAT and loopback interfaces?

  Source IP addresses for IKE for exchanges leaving out of the same physical interface, ie:
  crypto map to-peer_a 10 ipsec-isakmp
  set peer 10.1.3.1
  set local-address loopback1 <-- new command
  match address 100
  crypto map to-peer_a 20 ipsec-isakmp
  set peer 10.1.3.2
  set local-address loopback2 <-- new command
  match address 101
  Current code allows to specify a local-address for each crypto map only, and not on a per crypto map instance, as suggested above.

• IPSec VRF Aware (Crypto Map)

  Hello!
  I have some problem with configuring vrf aware Ipsec (Crypto Map).
  Any traffic (from subnet 10.6.6.248/29) do not pass trouth router, but if i run command "ping vrf inside 10.5.5.1 source gi 0/1.737" it working well.  
  Configuration below:
  ip vrf outside
   rd 1:1
  ip vrf inside
   rd 2:2
  track 10 ip sla 10 reachability
  ip sla schedule 10 life forever start-time now
  crypto keyring outside vrf outside 
    pre-shared-key address 10.10.10.100 key XXXXXX
  crypto isakmp policy 20
   encr aes 256
   authentication pre-share
   group 2
  crypto isakmp invalid-spi-recovery
  crypto isakmp keepalive 10 periodic
  crypto isakmp profile AS_outside
     vrf inside
     keyring outside
     match identity address 10.10.10.100 255.255.255.255 outside
     isakmp authorization list default
  crypto ipsec transform-set ESP-AESesp-aes 256 esp-sha-hmac 
   mode tunnel
  crypto ipsec df-bit clear
  crypto map outside 10 ipsec-isakmp 
   set peer 10.10.10.100
   set security-association idle-time 3600
   set transform-set ESP-AES 
   set pfs group2
   set isakmp-profile AS_outside
   match address inside_access
  ip route vrf inside 10.5.5.0 255.255.255.0 GigabitEthernet0/0.806 10.10.10.100 track 10
  ip access-list extended inside_access
   permit ip 10.6.6.248 0.0.0.7 10.5.5.0 0.0.0.255
  icmp-echo 10.10.10.100 source-interface GigabitEthernet0/0.806
   vrf outside
  interface GigabitEthernet0/0.806
  ip vrf forwarding outside
  ip address 10.10.10.101 255.255.255.0
  crypto-map outside
  interface GigabitEthernet0/1.737
  ip vrf forwarding inside
  ip address 10.6.6.252 255.255.255.248

  Hello Frank!
  >>  1. You may want to consider removing the "track 10" from your static route to eliminate any issues that this could be causing.
  I tried it before. Nothing changes.
  >> 2. If you teardown the tunnel, can the traffic from your end client (not the ping generated locally) cause the tunnel to build? If not, you may want to use netflow or ACL counters to verify that your packets are hitting the inside interface.
  It is also checked. netflow present counters and ACL counters not present. Source ip is 10.6.6.254/29.
  show command below:
  ISR-vpn-1#show ip cef vrf inside exact-route  10.6.6.254 10.5.5.1
   10.6.6.254  -> 10.5.5.1 => IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
  ISR-vpn-1#show ip cef vrf inside 10.24.1.0/24 internal                
  10.5.5.0/24, epoch 0, RIB[S], refcount 5, per-destination sharing
    sources: RIB 
    feature space:
     NetFlow: Origin AS 0, Peer AS 0, Mask Bits 24
    ifnums:
     GigabitEthernet0/0.806(24): 10.10.10.100
    path 22D160E8, path list 22AC27E8, share 1/1, type attached nexthop, for IPv4
    nexthop 10.10.10.100 GigabitEthernet0/0.806, adjacency IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
    output chain: IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)