"Crypto map" to inside/internal interface. Possible?
Hi, I have a two routers on a point to point VPN where the "Crypto Map" statement is assigned to the external interface as normal. This works fine but I need each router to present a different IP address to that of the external interface.
For example:
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 3600
crypto isakmp key privatekey address 4.4.4.4 no-xauth
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
crypto map VPN 1 ipsec-isakmp
set peer 4.4.4.4
set transform-set 3des
match address vpn
interface FastEthernet0/0
ip address 4.4.4.4 255.255.255.252
ip nat outside
ip virtual-reassembly
speed 10
full-duplex
no cdp enable
crypto map VPN
interface FastEthernet0/1
ip address 8.8.8.8 255.255.255.248
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
Instead of the "4.4.4.4" being presented to the other side of the VPN, I need the 8.8.8.8 to be presented. I've tried just changing the Crypto statements as below but it still presents the 4.4.4.4 probably due to the interface the Crypto map is applied
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 3600
crypto isakmp key privatekey address 8.8.8.8 no-xauth
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
crypto map VPN 1 ipsec-isakmp
set peer 8.8.8.8
set transform-set 3des
match address vpn
How can I make sure that 8.8.8.8 is what's presented at the other end?
Thanks
Andy
Hi Andy,
I would suggest the following command:
crypto map local-address
http://tools.cisco.com/squish/9c85B
To specify and name an identifying interface to be used by the crypto map for IPSec traffic, use the crypto map local-address command in global configuration mode. To remove this command from the configuration, use the no form of this command.
crypto map map-name local-address interface-id
no crypto map map-name local-address
Example:
interface loopback0
ip address 4.2.2.2 255.255.255.252
crypto map mymap local-address loopback0
interface S0
crypto map mymap
Of course you need to make sure the remote end can reach this additional IP address.
Let me know if you have any questions.
Please rate any post that you find useful.
Similar Messages
-
Multiple Crypto Maps on Single Outside Interface
Hi, I had the following crypto map configured on my ASA5505 to allow Cisco IPSec VPN clients to connect from the outside:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
I'm trying now to set up an additional crypto map - a static configuration to establish a tunnel with Windows Azure services. The configuration they gave me is:
crypto map azure-crypto-map 10 match address azure-vpn-acl
crypto map azure-crypto-map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set
crypto map azure-crypto-map interface outside
However, when I apply that configuration, my Cisco IPSec clients can no longer connect. I believe my problem is that last line:
crypto map azure-crypto-map interface outside
which blows away my original line:
crypto map outside_map interface outside
It seems I'm stuck with picking just one of the maps to apply to the outside interface. Is there a way to apply both of these maps to the outside interface to allow both IPSec tunnels to be created? We're running ASA version 8.4(7)3.Hi,
You can use the same "crypto map"
Just add
crypto map outside_map 10 match address azure-vpn-acl
crypto map outside_map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
crypto map outside_map 10 set transform-set azure-ipsec-proposal-set
Your dynamic VPN Clients will continue to work just fine as their "crypto map" statements are with the lowest priority/order in the "crypto map" configurations (65535) and the L2L VPN is higher (10)
And what I mean with the above is that when a L2L VPN connections is formed from the remote end it will naturally match the L2L VPN configurations you have with "crypto map" configurations using the number "10". Then when a VPN Client connects it will naturally not match the number "10" specific configurations and will move to the next entry and will match it (65535)
If you would happen to configure a new L2L VPN connection then you could give it the number "11" for example and everything would still be fine.
Hope this helps
- Jouni -
Crypto Map on Loopback interface or Physical Interface
Dear All,
When we try to apply the crypto map on any physical interface or the loopback interface on WS-6506-E, it is showing the error. But the same i could apply on VLAN interface. Can anyone explain me what is the issue..?
6506(config)#interface loopback 3
6506(config-if)#crypto map XXXX
ERROR: Crypto Map configuration is not supported on the given interface
Any hardware limitation?This was proven to break CEF in the past and is a bad design choice by default.
Newer release do not allow you to configure this.
If you're curious if it will work for you check releases prior to 15.x.
M. -
Lose telnet capability after crypto map
Hello,
I have 2 DSL routers setup with a VPN tunnel between them. The VPN works fine. Before setting up the tunnel, I had telnet/SSH access. However, when I apply the crypto map to the Dialer interface, I lose the ability to telnet/SSH to the router. If I remove the VPN setup, I regain the ability to telnet/SSH.
Any thoughts? I was wondering if the fact the Dialer interface is a logical interface is what is causing the problems?
Thanks.
TonyHere is the config. ACL 120 has permit ip any any but it is referenced by NAT not the Crypto. Crypto references ACL 130. I have seen it posted not to put any any in the Crypto ACLs, perhaps this applies to the NAT as well. I will try changing that one. Anyway, here is the config. Pretty straight-forward.
sh run
Building configuration...
Current configuration : 2927 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Ashtabula
boot-start-marker
boot-end-marker
enable secret 5
no aaa new-model
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp pool Ash-dhcp
network 192.168.1.0 255.255.255.0
dns-server 166.x.x.11 166.102.165.13
default-router 192.168.1.1
lease 7
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip domain lookup
ip domain name Ashtabula.local
ip name-server 166.102.165.11
ip name-server 166.102.165.13
vpdn enable
username
username
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address xx.xx.xx.xx no-xauth
crypto ipsec transform-set ToMead esp-3des esp-sha-hmac
crypto map Meadville 10 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set ToMead
match address 130
archive
log config
hidekeys
bridge irb
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Vlan1
description LAN
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 10
bridge-group 10 spanning-disabled
interface Dialer0
ip address yy.yy.yy.yy 255.255.255.252
ip access-group 100 in
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxxxx password 0 xxxxxxx
ppp ipcp dns request
ppp ipcp address accept
crypto map Meadville
interface Dialer1
no ip address
no cdp enable
interface BVI10
description Bridge to Internal Network
no ip address
ip virtual-reassembly
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 Vlan1
ip http server
no ip http secure-server
ip nat inside source list 120 interface Dialer0 overload
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 120 permit ip any any
access-list 130 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
password xxxxxxxxxx
login local
scheduler max-task-time 5000
end -
Help with IPSEC? Can you apply crypto map to SVI?
Hi All,
Got a problem with a site-to-site IPSEC vpn implementation where one end is using SVI (eg: interface vlan 10).
Does any body know if a crypto map can be applied to a SVI to bring up the IPSEC tunnel? It accepts the command but I can't pass any traffic to/from it.
interface vlan 10
crypto map MY-MAP
Or do you need to apply the crypto map to a physical interface?
I've gotten it working on a sub-interface (eg: interface GigabitEthernet0/0.11) but can't find any documentation that talks about applying it to a SVI and whether this will work. Anybody tried it using SVI's before?
This is to be done on a Cisco 7606 (sup720).
Thanks.
AndyHi Jerry,
I'm not that cluey with all the hardware on the box itself, but here's what we have on the box.
core1#sh ver
Cisco Internetwork Operating System Software
IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(18)SXF16, RELEASE SOFTWARE (fc2)
cisco CISCO7606 (R7000) processor (revision 1.0) with 983008K/65536K bytes of memory.
Processor board ID FOX092502NB
SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
Last reset from power-on
SuperLAT software (copyright 1990 by Meridian Technology Corp).
X.25 software, Version 3.0.0.
Bridging software.
TN3270 Emulation software.
228 Virtual Ethernet/IEEE 802.3 interfaces
124 Gigabit Ethernet/IEEE 802.3 interfaces
4 Ten Gigabit Ethernet/IEEE 802.3 interfaces
1917K bytes of non-volatile configuration memory.
8192K bytes of packet buffer memory.
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
core1#sh mod
Mod Ports Card Type Model
1 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX
2 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX
3 24 CEF720 24 port 1000mb SFP WS-X6724-SFP
4 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE
5 2 Supervisor Engine 720 (Active) WS-SUP720-3B
6 2 Supervisor Engine 720 (Hot) WS-SUP720-3B
Mod Sub-Module Model Hw Status
1 Centralized Forwarding Card WS-F6700-CFC 4.0 Ok
2 Centralized Forwarding Card WS-F6700-CFC 2.1 Ok
3 Centralized Forwarding Card WS-F6700-CFC 4.0 Ok
4 Centralized Forwarding Card WS-F6700-CFC 4.1 Ok
5 Policy Feature Card 3 WS-F6K-PFC3B 2.1 Ok
5 MSFC3 Daughterboard WS-SUP720 2.3 Ok
6 Policy Feature Card 3 WS-F6K-PFC3B 2.3 Ok
6 MSFC3 Daughterboard WS-SUP720 3.0 Ok
Based on the specs above, is this box capable of establishing a IPSEC tunnel by applying the crypto map to the SVI???
Thanks.
Andy -
Site to Site VPN working without Crypto Map (ASA 8.2(1))
Hi All,
Found a strange situation on our ASA5540 firewall :
We have couple Site to Site VPNs and also enable cleint VPN on the ASA, all are working fine. But found a Site to Site VPN is up and running without crypto map configuration. Is it possible ?
I tried to clear isa sa and clear ipsec sa then the VPN came up again. Also tested it's pingable to remote site thru the VPN.
I did see there is tunnel-group config for the VPN but didn't see any crypto map and ACL.
How does Firewall know which traffic need be encrypted to this VPN tunnel without crypto map?
Is it the bug ?
Thanks in advance,It might be an easy vpn setup.
Could you post a running config output remove any sensitive info. This could help us answer your question more exactly. -
Crypto on loopback or wan interface
hello,
i have routers terminating vpn on both sides with the loopback ip address as peers.
should i apply the crypto on the loopback interface or on the wan interface?
Thanks.Hi,
You apply the crypto map on the wan interface.
Dont forget to identify the loopback interface as the source in you crypto-map
crypto map mapname local-address loopback 0
Please rate helpful post -
PING is unavailable after CRYPTO MAP on interface
Hi guys,
I have problem with ping to public IP of my router (Cisco 2801) I checked all my ACLs but only when I remove crypto map from interface PING is going well.
interface FastEthernet0/0
description ---LAN---$FW_INSIDE$
ip address 192.168.28.31 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1
description ---WAN---$FW_OUTSIDE$$ES_LAN$
ip address 109.68.238.175 255.255.255.224
ip access-group 104 in
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed 10
crypto map MAIN
and crypto map MAIN
crypto map MAIN 1 ipsec-isakmp
description a1
set peer 180.94.84.177
set peer 180.94.84.181
set transform-set a1
match address a1
crypto map MAIN 2 ipsec-isakmp
description a2
set peer 67.159.45.250
set transform-set a2
match address a2
and ACLs for this MAIN crypto
ip access-list extended a1
remark CCP_ACL Category=4
permit ip host 192.168.28.31 host 10.150.82.43
permit ip host 192.168.28.30 host 10.150.82.43
permit ip host 192.168.28.31 host 10.150.82.73
permit ip host 192.168.28.30 host 10.150.82.73
permit icmp any any
ip access-list extended a2
remark CCP_ACL Category=20
permit ip host 192.168.28.31 host 67.159.51.2
permit ip host 192.168.28.30 host 67.159.51.2
permit ip host 192.168.28.31 host 67.159.51.14
permit ip host 192.168.28.30 host 67.159.51.14
permit ip host 192.168.28.31 host 67.159.51.10
permit ip host 192.168.28.30 host 67.159.51.10
permit icmp any any
ACL for inbound in WAN interface
access-list 104 remark CCP_ACL Category=17
access-list 104 permit udp host 180.94.84.177 host 109.68.238.175 eq non500-isakmp
access-list 104 permit udp host 180.94.84.177 host 109.68.238.175 eq isakmp
access-list 104 permit esp host 180.94.84.177 host 109.68.238.175
access-list 104 permit ahp host 180.94.84.177 host 109.68.238.175
access-list 104 permit ip host 67.159.51.10 host 192.168.28.30
access-list 104 permit ip host 67.159.51.10 host 192.168.28.31
access-list 104 permit ip host 67.159.51.14 host 192.168.28.30
access-list 104 permit ip host 67.159.51.14 host 192.168.28.31
access-list 104 permit ip host 67.159.51.2 host 192.168.28.30
access-list 104 permit ip host 67.159.51.2 host 192.168.28.31
access-list 104 permit udp host 180.94.84.181 host 109.68.238.175 eq non500-isakmp
access-list 104 permit udp host 180.94.84.181 host 109.68.238.175 eq isakmp
access-list 104 permit esp host 180.94.84.181 host 109.68.238.175
access-list 104 permit ahp host 180.94.84.181 host 109.68.238.175
access-list 104 permit ip host 10.150.82.73 host 192.168.28.30
access-list 104 permit ip host 10.150.82.73 host 192.168.28.31
access-list 104 permit ip host 10.150.82.43 host 192.168.28.30
access-list 104 permit ip host 10.150.82.43 host 192.168.28.31
access-list 104 permit udp host 67.159.45.250 host 109.68.238.175 eq non500-isakmp
access-list 104 permit udp host 67.159.45.250 host 109.68.238.175 eq isakmp
access-list 104 permit esp host 67.159.45.250 host 109.68.238.175
access-list 104 permit ahp host 67.159.45.250 host 109.68.238.175
access-list 104 permit icmp any any
access-list 104 permit esp any host 67.159.45.250
access-list 104 permit udp any host 67.159.45.250 eq non500-isakmp
access-list 104 permit udp any host 67.159.45.250 eq isakmp
access-list 104 permit ahp any host 67.159.45.250
Please show me where is problem in my configs, I try to change my config several time but problem still existNik
As far as I know the technically correct answer to your question is Yes you can configure a crypto map on the inside interface. But it leads to a question of why would you want to do that? The function of the crypto map is to provide IPSec protection services to traffic passing through that interface. Why would you want IPSec on traffic going through your inside interface?
I am also puzzled by the partial config that you posted. Why do you have the internal "private" network and the Internet reachable network as primary and secondary on the same interface?
HTH
Rick -
Can I enter crypto map command on an ethernet interface(LAN)
Hi Friends,
I am establishing VPN tunnel through Internet. I have the public address configured on Ethernet interface of router connecting the LAN. Can I bind the crypto map command to this inside interface and establish the VPN connectivity from this interface. Please help me providing the knowledge.your crypto map must be bound to outside interface.
but you can chose which ip to use
http://www.cisco.com/en/US/docs/ios/mwpdsn/command/reference/mwp_02.html#wp1014299
[Pls RATE if HELPS] -
Which interface does "crypto map vpn" get assigned to?
I'm setting up a site to site vpn and have been reading some examples, but my 871 uses a vlan so it confuses me a bit. Do I assign the statement crypto map vpn to the vlan1 interface or fe4 which is my WAN side.
Sander
If we knew more about your environment we might be able to give better answers. In general the crypto map is assigned to the outbound layer 3 interface. But I can not tell from your description whether fe4 or VLAN 1 is the outbound layer 3 interface. Does fe4 have an IP configured on it? If so then perhaps it is the outbound layer 3 interface and gets the crypto map. Or perhaps VLAN 1 is the outbound layer 3 interface and gets the crypto map.
If this helps you figure it out that is good. Otherwise perhaps you can provide some clarification of the environment.
HTH
Rick
Sent from Cisco Technical Support iPhone App -
Crypto Map on Tunnel interface
hi guys, when i trying to apply crypto map on tunnel interface , debug is (
crypto map is configured on tunnel interface. Currently only GDOI crypto map is supported on tunnel interface )
why i can't apply simple crypto map on tunnel interface? anyone knows?
thanksThis was proven to break CEF in the past and is a bad design choice by default.
Newer release do not allow you to configure this.
If you're curious if it will work for you check releases prior to 15.x.
M. -
Hi,
I have read a problem where the VPN between an ISP and ourselves started dropping sessions. I have rebuilt the crypto map and tried to dig deeper into my config and some basic troubleshooting while I await the ISP to respond.
Any ideas?
Thanks Steve
https://supportforums.cisco.com/thread/255085
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10
5 Jun 13 15:46:25 713904 IP = 209.183.xxx.xxx, Received encrypted packet with no matching SA, dropping
4 Jun 13 15:46:25 113019 Group = 209.183.xxx.xxx, Username = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Removing peer from correlator table failed, no match!
3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, QM FSM error (P2 struct &0xda90f540, mess id 0x76c09eb7)!
3 Jun 13 15:46:25 713061 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.240.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
5 Jun 13 15:46:25 713119 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, PHASE 1 COMPLETED
6 Jun 13 15:46:25 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 209.183.xxx.xxx
6 Jun 13 15:46:25 713172 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT deviceAre you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
nat (outside) 1 172.16.0.0 255.255.240.0 -
[ERR]crypto map WARNING: This crypto map is incomplete
i have PIX 501 ver6.3(5) when i setup VPN i get this error message
WARNING:This crypto map is incomplete to remedy the situation add a peer and a valid access-list to this crypto map.
although it seems fine in sh conf command
but tunnel is not started
when i review log i found
sa_request,ISAKMP Phase 1 exchange startedi could successfully establish VPN with another FW cisco 501 6.3
but still can't fix my dilemma which i connect to Huawei Eudemon 500â
sh isakmp
PIX Version 6.3(5)â
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0â
nameif ethernet1 inside security100 â
access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP1â
access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP2â
access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP1â
access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP2 â
global (outside) 1 interfaceâ
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac â
crypto ipsec security-association lifetime seconds 3600â
crypto map outside_map 100 ipsec-isakmp
crypto map outside_map 100 match address outside_cryptomap_100â
crypto map outside_map 100 set peer remote peer
crypto map outside_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 100 set security-association lifetime seconds 3600 kilobytes 1843200â
crypto map outside_map interface outside
isakmp enable outside
â â
isakmp key ******** address remote peer netmask 255.255.255.255 no-xauth no-config-mode â
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash shaâ
isakmp policy 20 group 2â
isakmp policy 20 lifetime 86400â
sh crypto map
Crypto Map: "outside_map" interfaces: { outside }â
Crypto Map "outside_map" 100 ipsec-isakmp
Peer = remote peer
access-list outside_cryptomap_100; 2 elementsâ
access-list outside_cryptomap_100 line 1 permit ip host 10.102.0.11 host remote internal IP1 ââ(hitcnt=14) â
access-list outside_cryptomap_100 line 2 permit ip host 10.102.0.11 host remote internal IP2 ââ(hitcnt=6) â
Current peer: remote peer
Security association lifetime: 1843200 kilobytes/3600 secondsâ
PFS (Y/N): N
Transform sets={ ESP-3DES-SHA, }â
Crypto Map: "set" interfaces: { }â -
Ok, I have a question for everyone. I have an ASA 5510 that I want to do VPN testing on for users that remote into the system from home. What I am wanting to do is create a VPN connection on the internal interface so that I can test the connections and connectivity before I give it to them and find out it does not work when they get home. I have tried to set up using the ASDM Wizard to the internal interface and got all the way through the set up OK. Once I try to connect, using the Cisco Client, it will connect and authenticate fine, but will not remote to or ping anything on the network.
Here are the settings that I am using:
Remote Access
Internal interface
Cisco VPN Client Release 3.x or higher
Authenticate via AAA server
Address Pool name: test
Address Pool Range: 192.168.1.1 - 192.168.1.5
Address Pool Subnet Mask: 255.255.0.0
Leaveing DNS and Wins server selections blank
Using the default Encryption
Internal access (NAT) with the exempt network of 192.168.0.0 /16 network, internal interface
Split Tunneling is not enabled
I can connect to the ASA fine, just cant get to the server with an address of 192.168.100.1.
I tried manual entery of an ACL rule for ANY to ANY on the internal network and that made no difference at all.
Any suggestions??
-JonJon,
Is your crypto map #6 your RA VPN tunnel ? if so that could be one of your problems, if you're running code 8.x and above nat-t is enabled by default, so you just need t remove that line ( not crypto map_Outside_map 6 set nat-t disable ) and try accessing inside resources , if your asa is running 7.x codes use the command above in the link previously provided in addition to removing the line you have found in your crypoto map. You should be fine removing it
http://www.cisco.com/en/US/partner/docs/security/asa/asa83/command/reference/c5.html#wp2266389
Regards -
IPSec VRF Aware (Crypto Map)
Hello!
I have some problem with configuring vrf aware Ipsec (Crypto Map).
Any traffic (from subnet 10.6.6.248/29) do not pass trouth router, but if i run command "ping vrf inside 10.5.5.1 source gi 0/1.737" it working well.
Configuration below:
ip vrf outside
rd 1:1
ip vrf inside
rd 2:2
track 10 ip sla 10 reachability
ip sla schedule 10 life forever start-time now
crypto keyring outside vrf outside
pre-shared-key address 10.10.10.100 key XXXXXX
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp profile AS_outside
vrf inside
keyring outside
match identity address 10.10.10.100 255.255.255.255 outside
isakmp authorization list default
crypto ipsec transform-set ESP-AESesp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
crypto map outside 10 ipsec-isakmp
set peer 10.10.10.100
set security-association idle-time 3600
set transform-set ESP-AES
set pfs group2
set isakmp-profile AS_outside
match address inside_access
ip route vrf inside 10.5.5.0 255.255.255.0 GigabitEthernet0/0.806 10.10.10.100 track 10
ip access-list extended inside_access
permit ip 10.6.6.248 0.0.0.7 10.5.5.0 0.0.0.255
icmp-echo 10.10.10.100 source-interface GigabitEthernet0/0.806
vrf outside
interface GigabitEthernet0/0.806
ip vrf forwarding outside
ip address 10.10.10.101 255.255.255.0
crypto-map outside
interface GigabitEthernet0/1.737
ip vrf forwarding inside
ip address 10.6.6.252 255.255.255.248Hello Frank!
>> 1. You may want to consider removing the "track 10" from your static route to eliminate any issues that this could be causing.
I tried it before. Nothing changes.
>> 2. If you teardown the tunnel, can the traffic from your end client (not the ping generated locally) cause the tunnel to build? If not, you may want to use netflow or ACL counters to verify that your packets are hitting the inside interface.
It is also checked. netflow present counters and ACL counters not present. Source ip is 10.6.6.254/29.
show command below:
ISR-vpn-1#show ip cef vrf inside exact-route 10.6.6.254 10.5.5.1
10.6.6.254 -> 10.5.5.1 => IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
ISR-vpn-1#show ip cef vrf inside 10.24.1.0/24 internal
10.5.5.0/24, epoch 0, RIB[S], refcount 5, per-destination sharing
sources: RIB
feature space:
NetFlow: Origin AS 0, Peer AS 0, Mask Bits 24
ifnums:
GigabitEthernet0/0.806(24): 10.10.10.100
path 22D160E8, path list 22AC27E8, share 1/1, type attached nexthop, for IPv4
nexthop 10.10.10.100 GigabitEthernet0/0.806, adjacency IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
output chain: IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
Maybe you are looking for
-
please help i bought alot of apps and i would like to know how to transfer the purchases so i dont have to buy all of my apps twice.
-
ITunes upgrade - now forces mp3 file association to itunes
Older versions of iTunes would allow me to keep .mp3 file association pointing to winamp, but the latest version of itunes "steals" the mp3 file association back everytime it starts up. Winamp has a "reset file association at startup" checkbox in it'
-
How to stop the browser redirect me to Chinese version websites?
For example, when I typed in nba.com, it goes to http://china.nba.com/index.html?gr=www. Similarly to bing.com. In addition, when I shop in any website, the currency shows in CNY other than USD. I'm using the newest version of Firefox (English versio
-
Importing from a different media player?
Hi, i've just switched from a Creative Zen to an iPod video, so i'm wondering if anybody knows how to import music from the Creative Mediasource to iTunes?
-
How to locate a stolen iPad?
My iPad was stolen and I'm wondering if I can locate it by using location services and also disable it remotely?