Can I enter crypto map command on an ethernet interface(LAN)
Hi Friends,
I am establishing VPN tunnel through Internet. I have the public address configured on Ethernet interface of router connecting the LAN. Can I bind the crypto map command to this inside interface and establish the VPN connectivity from this interface. Please help me providing the knowledge.
your crypto map must be bound to outside interface.
but you can chose which ip to use
http://www.cisco.com/en/US/docs/ios/mwpdsn/command/reference/mwp_02.html#wp1014299
[Pls RATE if HELPS]
Similar Messages
-
Commands that can be entered in the 'Command Field'
Hello All,
Does anyone know all commands that can be entered in the 'Command Field'.
I am interested in the commands that start with &. For example &sapedit, &vexcel, &vgrid; etc. (OR commands such as PRFB; etc.)
Just curious, where all these commands are stored?
Thanks
NavedHi Nablan,
I tried your suggestion. I noticed that it lists some commands but not all.
Foe example, if I am in CMOD tcode; I clicked on GUI Status but nowhere I saw Command 'PRFB'.
According to a post in SDN, in CMOD tcode; by entering PRFB in the command field a list of all field exits are displayed.
Similary, in SE16n; there are field commands like &sapedit, &vexcel and &vgrid...
Please shed light on this,
Thanks -
Help with IPSEC? Can you apply crypto map to SVI?
Hi All,
Got a problem with a site-to-site IPSEC vpn implementation where one end is using SVI (eg: interface vlan 10).
Does any body know if a crypto map can be applied to a SVI to bring up the IPSEC tunnel? It accepts the command but I can't pass any traffic to/from it.
interface vlan 10
crypto map MY-MAP
Or do you need to apply the crypto map to a physical interface?
I've gotten it working on a sub-interface (eg: interface GigabitEthernet0/0.11) but can't find any documentation that talks about applying it to a SVI and whether this will work. Anybody tried it using SVI's before?
This is to be done on a Cisco 7606 (sup720).
Thanks.
AndyHi Jerry,
I'm not that cluey with all the hardware on the box itself, but here's what we have on the box.
core1#sh ver
Cisco Internetwork Operating System Software
IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(18)SXF16, RELEASE SOFTWARE (fc2)
cisco CISCO7606 (R7000) processor (revision 1.0) with 983008K/65536K bytes of memory.
Processor board ID FOX092502NB
SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
Last reset from power-on
SuperLAT software (copyright 1990 by Meridian Technology Corp).
X.25 software, Version 3.0.0.
Bridging software.
TN3270 Emulation software.
228 Virtual Ethernet/IEEE 802.3 interfaces
124 Gigabit Ethernet/IEEE 802.3 interfaces
4 Ten Gigabit Ethernet/IEEE 802.3 interfaces
1917K bytes of non-volatile configuration memory.
8192K bytes of packet buffer memory.
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
core1#sh mod
Mod Ports Card Type Model
1 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX
2 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX
3 24 CEF720 24 port 1000mb SFP WS-X6724-SFP
4 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE
5 2 Supervisor Engine 720 (Active) WS-SUP720-3B
6 2 Supervisor Engine 720 (Hot) WS-SUP720-3B
Mod Sub-Module Model Hw Status
1 Centralized Forwarding Card WS-F6700-CFC 4.0 Ok
2 Centralized Forwarding Card WS-F6700-CFC 2.1 Ok
3 Centralized Forwarding Card WS-F6700-CFC 4.0 Ok
4 Centralized Forwarding Card WS-F6700-CFC 4.1 Ok
5 Policy Feature Card 3 WS-F6K-PFC3B 2.1 Ok
5 MSFC3 Daughterboard WS-SUP720 2.3 Ok
6 Policy Feature Card 3 WS-F6K-PFC3B 2.3 Ok
6 MSFC3 Daughterboard WS-SUP720 3.0 Ok
Based on the specs above, is this box capable of establishing a IPSEC tunnel by applying the crypto map to the SVI???
Thanks.
Andy -
Can I run multiple dial pools on an Ethernet interface on my 1721?
I am attempting to configure a 1721 for a remote property that uses DSL with a DSL modem that will go into an ethernet WIC on a 1721. Since I don't know if the ISP uses chap or pap, i was wondering if I could run two dial pools on the ethernet0 interface, with one dialer set up for chap, and the other set up for pap, both with the same IP address. Here is the config I have so far:
interface Ethernet0
no ip address
ip virtual-reassembly
full-duplex
pppoe enable
pppoe-client dial-pool-number 2
pppoe-client dial-pool-number 1
no cdp enable
interface FastEthernet0
description local LAN
ip address 10.*.*.* 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
full-duplex
no cdp enable
interface Dialer0
no ip address
shutdown
interface Dialer1
ip address *.*.*.169 255.255.255.248
ip access-group 102 in
ip mtu 1492
ip inspect FIREWALL out
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ****@pacbell.net
ppp chap password 7 ************************
crypto map rdln_map
interface Dialer2
ip address *.*.*.169 255.255.255.248
ip access-group 102 in
ip mtu 1492
ip inspect FIREWALL out
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 2
dialer-group 2
ppp authentication pap callin
ppp pap sent-username ****@pacbell.net password 7 ****************************
crypto map rdln_map
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 Dialer2
Will this even work? Or can I only have one dial pool on the ethernet0 interface? If I can have both, it would make things a little easier when I send it to the property.
Any suggestions to tweak up what I have is appreciated... thanks!I think I figured this out... here is what I did:
interface Ethernet0
no ip address
ip virtual-reassembly
full-duplex
pppoe enable
pppoe-client dial-pool-number 2
pppoe-client dial-pool-number 1
no cdp enable
interface FastEthernet0
description local LAN
ip address *.*.*.254 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
full-duplex
no cdp enable
interface Dialer0
no ip address
shutdown
interface Dialer1
ip address *.*.*.169 255.255.255.248
ip access-group 102 in
ip mtu 1492
ip inspect FIREWALL out
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname ****@pacbell.net
ppp chap password 7 **********************
ppp pap sent-username ****@pacbell.net password 7 *************************
crypto map rdln_map
interface Dialer2
ip address *.*.*.169 255.255.255.248
ip access-group 102 in
ip mtu 1492
ip inspect FIREWALL out
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
shutdown
dialer pool 2
dialer-group 2
ppp authentication pap callin
ppp pap sent-username ****@pacbell.net password 7 ************************
crypto map rdln_map
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip nat inside source route-map nonat interface Dialer1 overload
Does this look right?
BTW, does anyone know how to remove the second pppoe-client (pppoe-client dial-pool-number 2) statement from my ethernet0 interface? It doesn't seem to want to go away :) -
WARNING: This crypto map is incomplete
Hi ,
i have ASA with 4 l2l vpn configured. as now am trying to configure new VPN tunnel; while configuring of crypto map set match add its giving me
error like ... WARNING: This crypto map is incomplete
as i have read all the discussion from forms its not effecting ; request you to please help
Thanks
GajendraHi,
This is a normal message and just tells you that you have not yet entered all the "crypto map" commands related to this new connection to make the configuration complete
You will essentially have to make sure that you have ATLEAST the following lines configured
crypto map match address
crypto map set peer
crypto map set ikev1 transform-set
The "transform-set" part might NOT need the "ikev1" depending on your ASAs software level.
- Jouni -
"Crypto map" to inside/internal interface. Possible?
Hi, I have a two routers on a point to point VPN where the "Crypto Map" statement is assigned to the external interface as normal. This works fine but I need each router to present a different IP address to that of the external interface.
For example:
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 3600
crypto isakmp key privatekey address 4.4.4.4 no-xauth
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
crypto map VPN 1 ipsec-isakmp
set peer 4.4.4.4
set transform-set 3des
match address vpn
interface FastEthernet0/0
ip address 4.4.4.4 255.255.255.252
ip nat outside
ip virtual-reassembly
speed 10
full-duplex
no cdp enable
crypto map VPN
interface FastEthernet0/1
ip address 8.8.8.8 255.255.255.248
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
Instead of the "4.4.4.4" being presented to the other side of the VPN, I need the 8.8.8.8 to be presented. I've tried just changing the Crypto statements as below but it still presents the 4.4.4.4 probably due to the interface the Crypto map is applied
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 3600
crypto isakmp key privatekey address 8.8.8.8 no-xauth
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
crypto map VPN 1 ipsec-isakmp
set peer 8.8.8.8
set transform-set 3des
match address vpn
How can I make sure that 8.8.8.8 is what's presented at the other end?
Thanks
AndyHi Andy,
I would suggest the following command:
crypto map local-address
http://tools.cisco.com/squish/9c85B
To specify and name an identifying interface to be used by the crypto map for IPSec traffic, use the crypto map local-address command in global configuration mode. To remove this command from the configuration, use the no form of this command.
crypto map map-name local-address interface-id
no crypto map map-name local-address
Example:
interface loopback0
ip address 4.2.2.2 255.255.255.252
crypto map mymap local-address loopback0
interface S0
crypto map mymap
Of course you need to make sure the remote end can reach this additional IP address.
Let me know if you have any questions.
Please rate any post that you find useful. -
Which interface does "crypto map vpn" get assigned to?
I'm setting up a site to site vpn and have been reading some examples, but my 871 uses a vlan so it confuses me a bit. Do I assign the statement crypto map vpn to the vlan1 interface or fe4 which is my WAN side.
Sander
If we knew more about your environment we might be able to give better answers. In general the crypto map is assigned to the outbound layer 3 interface. But I can not tell from your description whether fe4 or VLAN 1 is the outbound layer 3 interface. Does fe4 have an IP configured on it? If so then perhaps it is the outbound layer 3 interface and gets the crypto map. Or perhaps VLAN 1 is the outbound layer 3 interface and gets the crypto map.
If this helps you figure it out that is good. Otherwise perhaps you can provide some clarification of the environment.
HTH
Rick
Sent from Cisco Technical Support iPhone App -
Crypto Map on Tunnel interface
hi guys, when i trying to apply crypto map on tunnel interface , debug is (
crypto map is configured on tunnel interface. Currently only GDOI crypto map is supported on tunnel interface )
why i can't apply simple crypto map on tunnel interface? anyone knows?
thanksThis was proven to break CEF in the past and is a bad design choice by default.
Newer release do not allow you to configure this.
If you're curious if it will work for you check releases prior to 15.x.
M. -
PING is unavailable after CRYPTO MAP on interface
Hi guys,
I have problem with ping to public IP of my router (Cisco 2801) I checked all my ACLs but only when I remove crypto map from interface PING is going well.
interface FastEthernet0/0
description ---LAN---$FW_INSIDE$
ip address 192.168.28.31 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1
description ---WAN---$FW_OUTSIDE$$ES_LAN$
ip address 109.68.238.175 255.255.255.224
ip access-group 104 in
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed 10
crypto map MAIN
and crypto map MAIN
crypto map MAIN 1 ipsec-isakmp
description a1
set peer 180.94.84.177
set peer 180.94.84.181
set transform-set a1
match address a1
crypto map MAIN 2 ipsec-isakmp
description a2
set peer 67.159.45.250
set transform-set a2
match address a2
and ACLs for this MAIN crypto
ip access-list extended a1
remark CCP_ACL Category=4
permit ip host 192.168.28.31 host 10.150.82.43
permit ip host 192.168.28.30 host 10.150.82.43
permit ip host 192.168.28.31 host 10.150.82.73
permit ip host 192.168.28.30 host 10.150.82.73
permit icmp any any
ip access-list extended a2
remark CCP_ACL Category=20
permit ip host 192.168.28.31 host 67.159.51.2
permit ip host 192.168.28.30 host 67.159.51.2
permit ip host 192.168.28.31 host 67.159.51.14
permit ip host 192.168.28.30 host 67.159.51.14
permit ip host 192.168.28.31 host 67.159.51.10
permit ip host 192.168.28.30 host 67.159.51.10
permit icmp any any
ACL for inbound in WAN interface
access-list 104 remark CCP_ACL Category=17
access-list 104 permit udp host 180.94.84.177 host 109.68.238.175 eq non500-isakmp
access-list 104 permit udp host 180.94.84.177 host 109.68.238.175 eq isakmp
access-list 104 permit esp host 180.94.84.177 host 109.68.238.175
access-list 104 permit ahp host 180.94.84.177 host 109.68.238.175
access-list 104 permit ip host 67.159.51.10 host 192.168.28.30
access-list 104 permit ip host 67.159.51.10 host 192.168.28.31
access-list 104 permit ip host 67.159.51.14 host 192.168.28.30
access-list 104 permit ip host 67.159.51.14 host 192.168.28.31
access-list 104 permit ip host 67.159.51.2 host 192.168.28.30
access-list 104 permit ip host 67.159.51.2 host 192.168.28.31
access-list 104 permit udp host 180.94.84.181 host 109.68.238.175 eq non500-isakmp
access-list 104 permit udp host 180.94.84.181 host 109.68.238.175 eq isakmp
access-list 104 permit esp host 180.94.84.181 host 109.68.238.175
access-list 104 permit ahp host 180.94.84.181 host 109.68.238.175
access-list 104 permit ip host 10.150.82.73 host 192.168.28.30
access-list 104 permit ip host 10.150.82.73 host 192.168.28.31
access-list 104 permit ip host 10.150.82.43 host 192.168.28.30
access-list 104 permit ip host 10.150.82.43 host 192.168.28.31
access-list 104 permit udp host 67.159.45.250 host 109.68.238.175 eq non500-isakmp
access-list 104 permit udp host 67.159.45.250 host 109.68.238.175 eq isakmp
access-list 104 permit esp host 67.159.45.250 host 109.68.238.175
access-list 104 permit ahp host 67.159.45.250 host 109.68.238.175
access-list 104 permit icmp any any
access-list 104 permit esp any host 67.159.45.250
access-list 104 permit udp any host 67.159.45.250 eq non500-isakmp
access-list 104 permit udp any host 67.159.45.250 eq isakmp
access-list 104 permit ahp any host 67.159.45.250
Please show me where is problem in my configs, I try to change my config several time but problem still existNik
As far as I know the technically correct answer to your question is Yes you can configure a crypto map on the inside interface. But it leads to a question of why would you want to do that? The function of the crypto map is to provide IPSec protection services to traffic passing through that interface. Why would you want IPSec on traffic going through your inside interface?
I am also puzzled by the partial config that you posted. Why do you have the internal "private" network and the Internet reachable network as primary and secondary on the same interface?
HTH
Rick -
Can we deploy a mapping through Command Prompt
Can we deploy a mapping through Command Prompt. If so pls tell me how
Thanks in AdvanceHi,
when deploying mappings from the coomand line or when i try to run some other script in OMBPlus i usually do the following:
* Create a .bat file that will call your tcl script it will look something like this:
rem @echo off
cd <owb_install_dir>\owb\bin\win32\
rem your script file
call OMBplus "<path to your script>\scripts\DeployMapping.tcl"
cd <path to your script>\scripts\
* Create a .tcl file that will do the following:
OMBCONNECT <user>/<passowrd>@<server name>:<port>:<Service Name>;
OMBCC 'MY_PROJECT';
#Deploy Mapping
OMBCONNECT CONTROL_CENTER <control_center_username/control_center_password>@<server name>:<port>:<service name> USE REPOS '<design repository user>';
set om "<sub_location>";
OMBCC '$om';
set m "Mapping Name";
puts " Deploying Mapping: $m";
puts "";
OMBCREATE TRANSIENT DEPLOYMENT_ACTION_PLAN '$m' ADD ACTION 'MAPPING_DEPLOY' SET PROPERTIES (OPERATION) VALUES ('REPLACE') SET REFERENCE MAPPING '/MY_PROJECT/$om/$m';
catch { OMBDEPLOY DEPLOYMENT_ACTION_PLAN '$m' } ex;
puts " $ex";
OMBDROP DEPLOYMENT_ACTION_PLAN '$m' ;
OMBDISCONNECT CONTROL_CENTER;
OMBCOMMIT;
For more information refer to the OMBPlus reference documentation
Hope this helps
Regards,
Ricardo Ferreira -
Crypto map mymap command I am not familiar with
I have the following commands in a new pix I am taking over and I am not sure what they do?
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
any help would be appreciatedHi .. they are used for remote VPNs:
1.- crypto map mymap client configuration address initiate
explanation: Use the crypto map mymap for remote vpn clients and the PIX Firewall will attempt to set IP addresses for each client.
2.- crypto map mymap client configuration address respond
explanation: Use the crypto map mymap for remote vpn clients and the PIX Firewall will accept requests for IP addresses from any
requesting client.
I hope it helps .. please rate if it does !! -
[ERR]crypto map WARNING: This crypto map is incomplete
i have PIX 501 ver6.3(5) when i setup VPN i get this error message
WARNING:This crypto map is incomplete to remedy the situation add a peer and a valid access-list to this crypto map.
although it seems fine in sh conf command
but tunnel is not started
when i review log i found
sa_request,ISAKMP Phase 1 exchange startedi could successfully establish VPN with another FW cisco 501 6.3
but still can't fix my dilemma which i connect to Huawei Eudemon 500â
sh isakmp
PIX Version 6.3(5)â
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0â
nameif ethernet1 inside security100 â
access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP1â
access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP2â
access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP1â
access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP2 â
global (outside) 1 interfaceâ
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac â
crypto ipsec security-association lifetime seconds 3600â
crypto map outside_map 100 ipsec-isakmp
crypto map outside_map 100 match address outside_cryptomap_100â
crypto map outside_map 100 set peer remote peer
crypto map outside_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 100 set security-association lifetime seconds 3600 kilobytes 1843200â
crypto map outside_map interface outside
isakmp enable outside
â â
isakmp key ******** address remote peer netmask 255.255.255.255 no-xauth no-config-mode â
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash shaâ
isakmp policy 20 group 2â
isakmp policy 20 lifetime 86400â
sh crypto map
Crypto Map: "outside_map" interfaces: { outside }â
Crypto Map "outside_map" 100 ipsec-isakmp
Peer = remote peer
access-list outside_cryptomap_100; 2 elementsâ
access-list outside_cryptomap_100 line 1 permit ip host 10.102.0.11 host remote internal IP1 ââ(hitcnt=14) â
access-list outside_cryptomap_100 line 2 permit ip host 10.102.0.11 host remote internal IP2 ââ(hitcnt=6) â
Current peer: remote peer
Security association lifetime: 1843200 kilobytes/3600 secondsâ
PFS (Y/N): N
Transform sets={ ESP-3DES-SHA, }â
Crypto Map: "set" interfaces: { }â -
Hi
If I have 2 crypto maps defined on my pix 506E. Traffic of my first crypto map goes for tunnel 1 & traffic of my second interface goes for tunnel2.
I can't apply the command crypto map CCS interface outside & crypto map PLC interface outside.
I am able to apply only one.
How can I do to use both crypto maps?
crypto ipsec transform-set my_PLC esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto map PLC 30 ipsec-isakmp
crypto map PLC 30 match address PLC
crypto map PLC 30 set peer 10.10.10.1
crypto map PLC 30 set transform-set my_PLC
crypto map PLC interface outside
isakmp key ******* address 10.10.10.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
crypto ipsec transform-set my_ccs esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto map CCS 20 ipsec-isakmp
crypto map CCS 20 match address CCS
crypto map CCS 20 set peer 20.20.20.1
crypto map CCS 20 set transform-set my_ccs
crypto map CCS interface outside
isakmp key ****** address 20.20.20.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400Hi
You can only have one crypto map per interface but you can have separate entries within the same crypto map eg.
crypto map CCS 20 ipsec-isakmp
crypto map CCS 20 match address CCS
crypto map CCS 20 set peer 20.20.20.1
crypto map CCS 20 set transform-set my_ccs
crypto map CCS 30 ipsec-isakmp
crypto map CCS 30 match address PLC
crypto map CCS 30 set peer 10.10.10.1
crypto map CCS 30 set transform-set my_PLC
crypto map CCS interface outside
HTH
Jon -
One crypto map, different tunnel source addresses (secondary)
Hi,
I have two devices with two different (public) IP addresses (Cisco 2811 and Cisco 851), which both host some IPSec tunnels (IPSec/ESP/Tunnel mode). I want to move the 851's configuration to the 2811, and remove the 851 from the network. There is a crypto map assigned to the main outside interface of the 2811 with a few entries. The problem is that I cannot change any of the tunnel TEPs, so the IP address of the 851 must be moved onto the 2811 (as a secondary address). Is there anything I can do to use the secondary address as an IPSec tunnel source? Or do I have to do it using NAT and loopback interfaces?Source IP addresses for IKE for exchanges leaving out of the same physical interface, ie:
crypto map to-peer_a 10 ipsec-isakmp
set peer 10.1.3.1
set local-address loopback1 <-- new command
match address 100
crypto map to-peer_a 20 ipsec-isakmp
set peer 10.1.3.2
set local-address loopback2 <-- new command
match address 101
Current code allows to specify a local-address for each crypto map only, and not on a per crypto map instance, as suggested above. -
IPSec VRF Aware (Crypto Map)
Hello!
I have some problem with configuring vrf aware Ipsec (Crypto Map).
Any traffic (from subnet 10.6.6.248/29) do not pass trouth router, but if i run command "ping vrf inside 10.5.5.1 source gi 0/1.737" it working well.
Configuration below:
ip vrf outside
rd 1:1
ip vrf inside
rd 2:2
track 10 ip sla 10 reachability
ip sla schedule 10 life forever start-time now
crypto keyring outside vrf outside
pre-shared-key address 10.10.10.100 key XXXXXX
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp profile AS_outside
vrf inside
keyring outside
match identity address 10.10.10.100 255.255.255.255 outside
isakmp authorization list default
crypto ipsec transform-set ESP-AESesp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
crypto map outside 10 ipsec-isakmp
set peer 10.10.10.100
set security-association idle-time 3600
set transform-set ESP-AES
set pfs group2
set isakmp-profile AS_outside
match address inside_access
ip route vrf inside 10.5.5.0 255.255.255.0 GigabitEthernet0/0.806 10.10.10.100 track 10
ip access-list extended inside_access
permit ip 10.6.6.248 0.0.0.7 10.5.5.0 0.0.0.255
icmp-echo 10.10.10.100 source-interface GigabitEthernet0/0.806
vrf outside
interface GigabitEthernet0/0.806
ip vrf forwarding outside
ip address 10.10.10.101 255.255.255.0
crypto-map outside
interface GigabitEthernet0/1.737
ip vrf forwarding inside
ip address 10.6.6.252 255.255.255.248Hello Frank!
>> 1. You may want to consider removing the "track 10" from your static route to eliminate any issues that this could be causing.
I tried it before. Nothing changes.
>> 2. If you teardown the tunnel, can the traffic from your end client (not the ping generated locally) cause the tunnel to build? If not, you may want to use netflow or ACL counters to verify that your packets are hitting the inside interface.
It is also checked. netflow present counters and ACL counters not present. Source ip is 10.6.6.254/29.
show command below:
ISR-vpn-1#show ip cef vrf inside exact-route 10.6.6.254 10.5.5.1
10.6.6.254 -> 10.5.5.1 => IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
ISR-vpn-1#show ip cef vrf inside 10.24.1.0/24 internal
10.5.5.0/24, epoch 0, RIB[S], refcount 5, per-destination sharing
sources: RIB
feature space:
NetFlow: Origin AS 0, Peer AS 0, Mask Bits 24
ifnums:
GigabitEthernet0/0.806(24): 10.10.10.100
path 22D160E8, path list 22AC27E8, share 1/1, type attached nexthop, for IPv4
nexthop 10.10.10.100 GigabitEthernet0/0.806, adjacency IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
output chain: IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
Maybe you are looking for
-
How can I move pictures from 1 iPhone to another
Trying to transfer pictures from my wifes old 3gs to a 4. nothing seems to work any suggestions
-
I have been studying sql injection attacks and the mysql_real_escape function. I read the adobe technote about sql injection and it noted that Dreamweaver 8.0 incorporates anti-sql injection code to prevent attacks and it specifically refers to Add,
-
Transferred audiobook to iPod Nano, but cannot locate it
I've transferred many audiobooks to my iPod nano over the years. I just transferred an audiobook (twice) to my iPod nano, but I cannot locate it anywhere. It is not under Audiobooks nor under Music, which is where I can usually find them. I know t
-
404 with link to shopping cart index.cfm
I have tried to reference the file several ways without success. Please help me sort this out. Thanks! <a href="/index.cfm/fuseaction/YourShoppingCart.additem/productid=1001">add to cart</a> <a href="./index.cfm/fuseaction/YourShoppingCart.additem/
-
Workflow for CC from PP. - ideas?
I'm interested in CS4 workflow is to link project from PP -> AE for keylight and colour correction. I've played with it this afternoon and have mixed feelings ... What do people prefer: Edit in PP then dynamic link sequence to Ae and grade a whole se