Crypto map removing itself after reload
Hello,
I just set up my site tot site vpn with a pix box and a cisco 3745.
The pix box is fine but the 3745 when ever I reload it the crypto map is not applied to the interface after the reload.
Hello,
I did issue a write memory.
sh ver
Cisco IOS Software, 3700 Software (C3745-ADVENTERPRISEK9-M), Version 12.4(25), R ELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Tue 21-Apr-09 14:41 by prod_rel_team
ROM: System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1)
FIBERJGX-3745-01 uptime is 3 hours, 49 minutes
System returned to ROM by reload at 01:32:53 UTC Fri Jul 5 2013
System restarted at 01:34:09 UTC Fri Jul 5 2013
System image file is "slot0:c3745-adventerprisek9-mz.124-25.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected]
Cisco 3745 (R7000) processor (revision 2.0) with 243712K/18432K bytes of memory.
Processor board ID JMX0837L5AU
R7000 CPU at 350MHz, Implementation 39, Rev 3.3, 256KB L2, 2048KB L3 Cache
2 FastEthernet interfaces
DRAM configuration is 64 bits wide with parity disabled.
151K bytes of NVRAM.
31360K bytes of ATA System CompactFlash (Read/Write)
125952K bytes of ATA Slot0 CompactFlash (Read/Write)
Configuration register is 0x2102
Similar Messages
-
Problem removing listener after reload
Note: Using AS2, Flash 8
Here's the setup:
I'm developing a small game based on Wheel of Fortune. The
.swf for the game is loaded into another flash application on
another developer's end. Their application is build like a
slideshow. (switching from one .swf to the next, one of which is my
game)
I have a "board" of letter spaces and an input text field for
guessing the phrase.
The user can either hit letter keys to guess letters on the
board OR click in the input field and guess the phrase. The input
field has onSetFocus and onKillFocus function to prevent both
happening at the same time. Once a user has entered text in the
field, they can either hit a button or press enter to check if it's
the right answer.
Attached at the bottom is a simplified example of the
listeners for key presses and the input field's functions:
Thankfully, all this code works fine, but only the first time
around. If you go back to the game again, it doesn't work the same:
If you start typing in the input field, letters pop up on the board
too. (Which, of course, is not supposed to happen)
I've been able to test this by testing the movie (Ctrl-Enter)
and then hitting Ctrl-Enter again to reload.
After doing a trace(Key._listeners.length); I get 1 the first
time and 2 the second time.
What this tells me is that on the second time around, even
though the input_txt.onSetFocus function should be removing the
keyListener, the keyListener.onKeyDown function is still executing
because there are now 2 keyListeners. (1 is removed, but the other
continues to execute)
I've tried attempting to remove the keyListener before any of
the code above executes, but it seems to have no effect.
How is it possible for there to be 2 listeners by the same
name?
How do I make sure that there is only one listener active?This is an interesting problem. The Key._listener array must
still live in the cache while Flash is in operation, it seems if
you close down the program and then reopen (like if you shut down
the browser and came back) this doesn't happen, but on reload it
most certainly does.
I have a solution for you. Loop through the array and remove
all registered listeners on reload, place the code below previous
to the registering of the 'keyListener' object:
Hey, what did I win! ;) -
I am not able to remove crypto map SONZOGNI^@
Please,show me the command to remove crypto map SONZOGNI^@ .
Command "no crypto map SONZOGNI^@" doesn't work,the response is crypto map unexisting.
The Router model is 3640.
Thanks
12.0
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
boot system flash:c3640-is40-mz.120-24.bin
logging buffered 32000 debugging
no logging console
ip subnet-zero
no ip source-route
no ip finger
no ip domain-lookup
isdn switch-type primary-net5
crypto map SONZOGNI^@ 1
set peer cisco-sonzogni
match address sonzogni-encrypt
clock timezone CET 1
clock summer-time CET-SUM recurring last Sun Mar 3:00 last Sun Oct 3:00
call-history-mib max-size 200Try no crypto map SONZOGNI^@" 1, you have to mention the 1 also.
-
Cisco 5520: removed crypto map still in effect
so i typoed a command: "crypto map Map1 7"... instead of "crypto map Map1 70".
I cleared the Map1 7 entries, and added the correct entries in Map1 70.
I cleared all of the vpn sessions:
no crypto map Map1 int outside
cl ips sa
cl isa sa
Now, however, whenever I try to ping the remote network from the inside interface, it seems to read the Map1 7 policy instead of Map1-70.
Is there anyway to clear the Map1 7 entries from memory? I'm trying to avoid rebooting the firewall.
Thanks,
Jeff
But when I tryWith ASA you need the "clear configure" command to remove a crypto map sequence number
clear configure crypto map map-name seq-num
(in configuration mode) -
Lose telnet capability after crypto map
Hello,
I have 2 DSL routers setup with a VPN tunnel between them. The VPN works fine. Before setting up the tunnel, I had telnet/SSH access. However, when I apply the crypto map to the Dialer interface, I lose the ability to telnet/SSH to the router. If I remove the VPN setup, I regain the ability to telnet/SSH.
Any thoughts? I was wondering if the fact the Dialer interface is a logical interface is what is causing the problems?
Thanks.
TonyHere is the config. ACL 120 has permit ip any any but it is referenced by NAT not the Crypto. Crypto references ACL 130. I have seen it posted not to put any any in the Crypto ACLs, perhaps this applies to the NAT as well. I will try changing that one. Anyway, here is the config. Pretty straight-forward.
sh run
Building configuration...
Current configuration : 2927 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Ashtabula
boot-start-marker
boot-end-marker
enable secret 5
no aaa new-model
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp pool Ash-dhcp
network 192.168.1.0 255.255.255.0
dns-server 166.x.x.11 166.102.165.13
default-router 192.168.1.1
lease 7
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip domain lookup
ip domain name Ashtabula.local
ip name-server 166.102.165.11
ip name-server 166.102.165.13
vpdn enable
username
username
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address xx.xx.xx.xx no-xauth
crypto ipsec transform-set ToMead esp-3des esp-sha-hmac
crypto map Meadville 10 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set ToMead
match address 130
archive
log config
hidekeys
bridge irb
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Vlan1
description LAN
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 10
bridge-group 10 spanning-disabled
interface Dialer0
ip address yy.yy.yy.yy 255.255.255.252
ip access-group 100 in
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxxxx password 0 xxxxxxx
ppp ipcp dns request
ppp ipcp address accept
crypto map Meadville
interface Dialer1
no ip address
no cdp enable
interface BVI10
description Bridge to Internal Network
no ip address
ip virtual-reassembly
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 Vlan1
ip http server
no ip http secure-server
ip nat inside source list 120 interface Dialer0 overload
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 120 permit ip any any
access-list 130 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
password xxxxxxxxxx
login local
scheduler max-task-time 5000
end -
PING is unavailable after CRYPTO MAP on interface
Hi guys,
I have problem with ping to public IP of my router (Cisco 2801) I checked all my ACLs but only when I remove crypto map from interface PING is going well.
interface FastEthernet0/0
description ---LAN---$FW_INSIDE$
ip address 192.168.28.31 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1
description ---WAN---$FW_OUTSIDE$$ES_LAN$
ip address 109.68.238.175 255.255.255.224
ip access-group 104 in
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed 10
crypto map MAIN
and crypto map MAIN
crypto map MAIN 1 ipsec-isakmp
description a1
set peer 180.94.84.177
set peer 180.94.84.181
set transform-set a1
match address a1
crypto map MAIN 2 ipsec-isakmp
description a2
set peer 67.159.45.250
set transform-set a2
match address a2
and ACLs for this MAIN crypto
ip access-list extended a1
remark CCP_ACL Category=4
permit ip host 192.168.28.31 host 10.150.82.43
permit ip host 192.168.28.30 host 10.150.82.43
permit ip host 192.168.28.31 host 10.150.82.73
permit ip host 192.168.28.30 host 10.150.82.73
permit icmp any any
ip access-list extended a2
remark CCP_ACL Category=20
permit ip host 192.168.28.31 host 67.159.51.2
permit ip host 192.168.28.30 host 67.159.51.2
permit ip host 192.168.28.31 host 67.159.51.14
permit ip host 192.168.28.30 host 67.159.51.14
permit ip host 192.168.28.31 host 67.159.51.10
permit ip host 192.168.28.30 host 67.159.51.10
permit icmp any any
ACL for inbound in WAN interface
access-list 104 remark CCP_ACL Category=17
access-list 104 permit udp host 180.94.84.177 host 109.68.238.175 eq non500-isakmp
access-list 104 permit udp host 180.94.84.177 host 109.68.238.175 eq isakmp
access-list 104 permit esp host 180.94.84.177 host 109.68.238.175
access-list 104 permit ahp host 180.94.84.177 host 109.68.238.175
access-list 104 permit ip host 67.159.51.10 host 192.168.28.30
access-list 104 permit ip host 67.159.51.10 host 192.168.28.31
access-list 104 permit ip host 67.159.51.14 host 192.168.28.30
access-list 104 permit ip host 67.159.51.14 host 192.168.28.31
access-list 104 permit ip host 67.159.51.2 host 192.168.28.30
access-list 104 permit ip host 67.159.51.2 host 192.168.28.31
access-list 104 permit udp host 180.94.84.181 host 109.68.238.175 eq non500-isakmp
access-list 104 permit udp host 180.94.84.181 host 109.68.238.175 eq isakmp
access-list 104 permit esp host 180.94.84.181 host 109.68.238.175
access-list 104 permit ahp host 180.94.84.181 host 109.68.238.175
access-list 104 permit ip host 10.150.82.73 host 192.168.28.30
access-list 104 permit ip host 10.150.82.73 host 192.168.28.31
access-list 104 permit ip host 10.150.82.43 host 192.168.28.30
access-list 104 permit ip host 10.150.82.43 host 192.168.28.31
access-list 104 permit udp host 67.159.45.250 host 109.68.238.175 eq non500-isakmp
access-list 104 permit udp host 67.159.45.250 host 109.68.238.175 eq isakmp
access-list 104 permit esp host 67.159.45.250 host 109.68.238.175
access-list 104 permit ahp host 67.159.45.250 host 109.68.238.175
access-list 104 permit icmp any any
access-list 104 permit esp any host 67.159.45.250
access-list 104 permit udp any host 67.159.45.250 eq non500-isakmp
access-list 104 permit udp any host 67.159.45.250 eq isakmp
access-list 104 permit ahp any host 67.159.45.250
Please show me where is problem in my configs, I try to change my config several time but problem still existNik
As far as I know the technically correct answer to your question is Yes you can configure a crypto map on the inside interface. But it leads to a question of why would you want to do that? The function of the crypto map is to provide IPSec protection services to traffic passing through that interface. Why would you want IPSec on traffic going through your inside interface?
I am also puzzled by the partial config that you posted. Why do you have the internal "private" network and the Internet reachable network as primary and secondary on the same interface?
HTH
Rick -
Hi there!
I do know if it is some kind of bug, but all the time after reload the CX module all things stop work, regardless of what form do I reset the module.
I already tried to acccess the module and reload, tried to stop services with "services stop" command and after that "reload", tried to shutdown using ASA commands and reload it from ASA... everytime I reload when the module come back all services start perfectly, like example below:
spcx02>show services status
============================================================
Process | PID | Up | Up Time
============================================================
AD Interface | 6284 | True | 05:03:03
Message Nameserver| 6022 | True | 05:03:59
HTTP Auth Daemon | 6094 | True | 05:03:58
PDTS | 6073 | True | 05:03:59
HTTP Inspector | 6193 | True | 05:03:37
HTTP Server | 5972 | True | 05:03:59
Data Plane | 6270 | True | 05:03:06
Management Plane | 6115 | True | 05:03:45
HPM Monitor | 6289 | True | 05:03:03
Updater | 6399 | True | 05:02:52
Card Manager | 5930 | True | 05:03:59
ARP Daemon | 6089 | True | 05:03:58
Event Server | 6133 | True | 05:03:41
TLS Proxy | 6204 | True | 05:03:37
============================================================
spcx02>show ver
Cisco ASA CX Platform 9.1.2 (42)
Cisco Prime Security Manager 9.1.2 (42) for spcx02 firewall
spcx02>
I even can access the GUI using my browser, but all athentication with CDA or AD that before boot was working correctly show up the error:
"Connection failed with error: Could not connect to virtual directory interface."
Everytime I reload I must reinstall the entire module and reconfigure everything. Anyone know if this is a bug that crashes the database or something like this?
Regards,
Rodrigo AlvesAh, I forgot to write down that after reload the module and it come back it stop all traffic passing through the firewall and I must remove the policy-map configuration:
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect h323 h225
inspect h323 ras
inspect skinny
class class-default
cxsc fail-open auth-proxy -
Site to Site VPN working without Crypto Map (ASA 8.2(1))
Hi All,
Found a strange situation on our ASA5540 firewall :
We have couple Site to Site VPNs and also enable cleint VPN on the ASA, all are working fine. But found a Site to Site VPN is up and running without crypto map configuration. Is it possible ?
I tried to clear isa sa and clear ipsec sa then the VPN came up again. Also tested it's pingable to remote site thru the VPN.
I did see there is tunnel-group config for the VPN but didn't see any crypto map and ACL.
How does Firewall know which traffic need be encrypted to this VPN tunnel without crypto map?
Is it the bug ?
Thanks in advance,It might be an easy vpn setup.
Could you post a running config output remove any sensitive info. This could help us answer your question more exactly. -
IPhoto will not open even after reload
I have remove iPhoto and reloaded from disc. Still getting the same error message. I am basically pretty frustrated at this point, any ideas?
Interval Since Last Report: 13374 sec
Crashes Since Last Report: 8
Per-App Crashes Since Last Report: 8
Anonymous UUID: 41254D60-DDE4-4A37-A55C-DB4E70D14C3F
Exception Type: EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000002, 0x0000000000000000
Crashed Thread: 0
Dyld Error Message:
Library not loaded: /System/Library/PrivateFrameworks/iLifeSlideshow.framework/Versions/A/Framework s/iLifeSlideshowProducer.framework/Versions/A/iLifeSlideshowProducer
Referenced from: /System/Library/PrivateFrameworks/iLifeSlideshow.framework/Versions/A/iLifeSlid eshow
Reason: no suitable image found. Did find:
/System/Library/PrivateFrameworks/iLifeSlideshow.framework/Versions/A/Framework s/iLifeSlideshowProducer.framework/Versions/A/iLifeSlideshowProducer:
stat() failed with errno=5=I am at my wits end with iPhoto error messages and inability to reload it. It has worked fine until yesterday when I started getting the library not loaded error message. I deleted the app, removed the pkg files from HD/Library/Receipts and reloaded the app from my iLife CD as suggested. I have done this 6 times without success and continue to receive the same error message. During reinstall it runs for a long time saying loading packages. After reload there are no new pkg files in teh HD/Library/Receipts location. I do not know what to do next . . . I am open to any assistance.
-
Why does my Power MAC G4 keep restarting itself after I shut it down?
Hi,
Thanks for reading this.
Why does my Power MAC G4 keep restarting itself after I shut it down?
This JUST started happening only 4 days ago.
Most recent installation was Limewire, but I removed it to see if this problem would go away.
I have 3 internal drives (See drive types below) that all have OS 10 on them in order to be able to boot up from either drive in the event of trouble.
However...
No matter WHICH drive I use as the start up drive... the computer STILL restarts itself after it is properly commanded to shut down.
Prior to the Limewire install... the ADOBE creative suite was installed.
There is a Lexmark X83 printer hooked to the computer, which, it seems doesn't matter if it is left on or off... the computer still restarts itself.
Any ideas?
Thanks!
PowerMAC G4(2002 Quicksilver) Mac OS X (10.4.5) 2 Seagate SATA 250GB drives, 80 GB Seagate ATA drive, Digital Performer 4.6
PowerMAC G4(2002 Quicksilver) Mac OS X (10.4.5) 2 Seagate SATA 250GB drives, 80 GB Seagate ATA drive, Digital Performer 4.6Hi, Tommy!
If you still have problems, trash the following three preference files, then shut down and do a PMU reset. (PMU reset procedure for the QS is the same as is shown at the link for the Gigabit Ethernet.)
HD/Library/Preferences/SystemConfiguration/com.apple.AutoWake.plist
HD/Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist
User/Library/Preferences/com.apple.systemuiserver.plist
Gary
1GHz DP G4 Quicksilver 2002, 400MHz B&W rev.2 G3, Mac SE30 Mac OS X (10.4.5) 5G iPod, Epson 2200 & R300 & LW Select 360 Printers, Epson 3200 Scanner -
Hello there, am new here and very stressed, i have an Imac core i3 which is logging off itself after a few seconds of login, it goes back to the login menu where i put the password. I have tried to repair the os but my pioneer rom is not reading the disk. I press the :c" button on startup but its not picking up the disk in the rom, i have tried to put the disk in an external rom but same answer, am starting to think that my os disk is bad. Please help me.
Please read this whole message before doing anything.
This procedure is a diagnostic test. It’s unlikely to solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.
The purpose of this exercise is to determine whether the problem is caused by third-party system modifications that load automatically at startup or login. Disconnect all wired peripherals except those needed for the test, and remove all aftermarket expansion cards. Boot in safe mode* and log in to the account with the problem. The instructions provided by Apple are as follows:
Be sure your Mac is shut down.
Press the power button.
Immediately after you hear the startup tone, hold the Shift key. The Shift key should be held as soon as possible after the startup tone, but not before the tone.
Release the Shift key when you see the gray Apple icon and the progress indicator (looks like a spinning gear).
*Note: If FileVault is enabled under Mac OS X 10.7 or later, or if a firmware password is set, you can’t boot in safe mode.
Safe mode is much slower to boot and run than normal, and some things won’t work at all, including wireless networking on certain Macs.
The login screen appears even if you usually log in automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin.
Test while in safe mode. Same problem(s)?
After testing, reboot as usual (i.e., not in safe mode) and verify that you still have the problem. Post the results of the test. -
ITunes reopens itself after closing
Greetings,
Since version 5 I and many others whom I know cannot close iTunes. It closes then immediately re-opens itself. Even using Task Manager to close it, it simply re-opens itself again, and in the end the only way to close iTunes is to re-boot the computer.
I have sent Apple about 50 emails with regard to this problem, as have many other people I know, but none of us has ever received a reply.
I believe this is a common problem.
I have managed to ascertain that the first opening of iTunes uses the path C:\Programs\iTunes, but that all automatic re-openings thereafter carry a suffix: C:\Programs\iTunes\ -embedding.
I have disabled all my security software and the problem persists.
Please does anybody know how to resolve this problem?
Thank you,
nippaulsPROBLEM RESOLVED!
Here is what I did and it has fixed the issue of iTunes continually re-opening itself after closing with reference to DCOM and embedding.
I disabled DrWatson by editing the following registry key from 1 to 0:
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AeDebug = 0
I disabled DCOM by editing the following registry key from Y to N:
HKLM\SOFTWARE\Microsoft\OLE\EnableDCOM = N
Then I restarted the computer.
Then, using Control Panel, I removed iTunes and restarted.
Then I went to C:\Programs and deleted EVERY folder relating to iTunes and iPod. If a folder refuses to be deleted, open Task Manager and terminate the relevant iPod process then it will be possible to delete the folder.
I then cleared my Prefetch folder, temp folder, and then recycle bin.
I restarted the computer, and re-installed iTunes.
PROBLEM RESOLVED
Hope this helps other users with similar problems.
nippauls -
Converting crypto map to unnumbered VTI
I'm trying to convert a crypto map VPN to a ip unnumbered VTI. The crypto map has been working for months. The VTI... no so much. Here are the applicable config entries.
### original config
crypto isakmp policy 30
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address 10.1.1.10
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto map CRYPTO 50 ipsec-isakmp
set peer 10.1.1.10
set transform-set 3DES-SHA
set pfs group2
match address VPN1
ip access-list extended VPN1
permit ip host 172.16.16.10 host 10.5.5.1
permit ip host 172.16.16.10 host 10.5.5.4
I only removed the crypto map and added the following.
### New Config
crypto ipsec profile V1
set security-association lifetime seconds 28800
set transform-set 3DES-SHA
set pfs group2
interface Tunnel0
ip unnumbered FastEthernet0/0
ip nat outside
ip virtual-reassembly
tunnel source 172.16.8.1
tunnel destination 10.1.1.10
tunnel mode ipsec ipv4
tunnel protection ipsec profile V1
I keep getting this ISAKMP error now.
ISAKMP:(0:54:HW:2):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 10.1.1.10)
Any help would be greatly appreciated. Also... I have no idea what is running on the other end (it's a partner network), but I suspect it's a crypto map on IOS.
Thank you!Access-lists, FW (ZBF, CBAC) and all other features work on SVTI same way they would work on a physical or other logical interfaces (with very few exceptions).
-
VPN used loopback counts +1 after reload
Hi *,
We have a Cisco 886 router with an IOS 15.X.
The VPN Tunnel is built on a loopback (lo10000) interface of the VPN tunnel.
At the same time the loopback interface is the Source interface for TACACS, Logging & SNMP.
Everything works beautifully.
However, if you make a reload, the tunnel uses the next free loopback interface -> for example loopback interface 10001 ... with every reload the Loopback Adress is incremented by one number. What the rest of the configuration (TACACS, SNMP, etc.) confuses, and therefore no longer works .
Does anyone have an idea what the problem is?
Thanks in advance!Is this a Gre over IPsec tunnel or is it a Crypto map based tunnel ?
-
"Crypto map" to inside/internal interface. Possible?
Hi, I have a two routers on a point to point VPN where the "Crypto Map" statement is assigned to the external interface as normal. This works fine but I need each router to present a different IP address to that of the external interface.
For example:
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 3600
crypto isakmp key privatekey address 4.4.4.4 no-xauth
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
crypto map VPN 1 ipsec-isakmp
set peer 4.4.4.4
set transform-set 3des
match address vpn
interface FastEthernet0/0
ip address 4.4.4.4 255.255.255.252
ip nat outside
ip virtual-reassembly
speed 10
full-duplex
no cdp enable
crypto map VPN
interface FastEthernet0/1
ip address 8.8.8.8 255.255.255.248
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
Instead of the "4.4.4.4" being presented to the other side of the VPN, I need the 8.8.8.8 to be presented. I've tried just changing the Crypto statements as below but it still presents the 4.4.4.4 probably due to the interface the Crypto map is applied
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 3600
crypto isakmp key privatekey address 8.8.8.8 no-xauth
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
crypto map VPN 1 ipsec-isakmp
set peer 8.8.8.8
set transform-set 3des
match address vpn
How can I make sure that 8.8.8.8 is what's presented at the other end?
Thanks
AndyHi Andy,
I would suggest the following command:
crypto map local-address
http://tools.cisco.com/squish/9c85B
To specify and name an identifying interface to be used by the crypto map for IPSec traffic, use the crypto map local-address command in global configuration mode. To remove this command from the configuration, use the no form of this command.
crypto map map-name local-address interface-id
no crypto map map-name local-address
Example:
interface loopback0
ip address 4.2.2.2 255.255.255.252
crypto map mymap local-address loopback0
interface S0
crypto map mymap
Of course you need to make sure the remote end can reach this additional IP address.
Let me know if you have any questions.
Please rate any post that you find useful.
Maybe you are looking for
-
How do I change the size of the text that is on a button? I can make the button size bigger or smaller with xysize but the text remains the same. Id like to make the text "SEND" bigger. Button sendButton = new Button(" SEND "); sendButton.addActionLi
-
How to use the MouseAdapter and mouseEntered
I've made panel(Jpanel) with a Label(Jlabel) wich contains an Image). but i want the image changes in another Image when the mouse passesover the image, without click the mouse? how can i get this, if i can? some told use the MouseAdapter anf the mou
-
Windows 7x64 FF 28 renders internal "Get Add-ons" page as text only
Setting up five new Acer Veriton E430G Windows 7 x64 desktop machines for work, each has been Windows live updated to latest spec as of end of March '14. All were brand new factory pre-installed Windows 7 x64, all have had the same set of software in
-
How can I pass Global Variable from Page1 to Page2
I have the following senario. Pag1 - report is based on following PL\SQL declare g1 varchar2(100); begin g1 = select * from emp where dept = 10; return g1; end; Now I have Page2 - based on following PL\SQL declare g2 varchar2(100); begin g2 := g1; --
-
Is RHEL ES 4 udpate 5 compatible with Oracle 10.2.0.3.0
Hi All! I am posting this after being thoroughly confused through Metalink notes and forum posts :) I want to know whether I can apply the latest update patches for RHEL 4 (update 5) and whether this is supported by Oracle. Where is information relat