"Crypto map" to inside/internal interface. Possible?

Similar Messages

• Multiple Crypto Maps on Single Outside Interface

  Hi, I had the following crypto map configured on my ASA5505 to allow Cisco IPSec VPN clients to connect from the outside:
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  I'm trying now to set up an additional crypto map - a static configuration to establish a tunnel with Windows Azure services. The configuration they gave me is:
  crypto map azure-crypto-map 10 match address azure-vpn-acl
  crypto map azure-crypto-map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
  crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set
  crypto map azure-crypto-map interface outside
  However, when I apply that configuration, my Cisco IPSec clients can no longer connect. I believe my problem is that last line:
  crypto map azure-crypto-map interface outside
  which blows away my original line:
  crypto map outside_map interface outside
  It seems I'm stuck with picking just one of the maps to apply to the outside interface. Is there a way to apply both of these maps to the outside interface to allow both IPSec tunnels to be created? We're running ASA version 8.4(7)3.

  Hi,
  You can use the same "crypto map"
  Just add
  crypto map outside_map 10 match address azure-vpn-acl
  crypto map outside_map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
  crypto map outside_map 10 set transform-set azure-ipsec-proposal-set
  Your dynamic VPN Clients will continue to work just fine as their "crypto map" statements are with the lowest priority/order in the "crypto map" configurations (65535) and the L2L VPN is higher (10)
  And what I mean with the above is that when a L2L VPN connections is formed from the remote end it will naturally match the L2L VPN configurations you have with "crypto map" configurations using the number "10". Then when a VPN Client connects it will naturally not match the number "10" specific configurations and will move to the next entry and will match it (65535)
  If you would happen to configure a new L2L VPN connection then you could give it the number "11" for example and everything would still be fine.
  Hope this helps
  - Jouni

• Crypto Map on Loopback interface or Physical Interface

  Dear All,
  When we try to apply the crypto map on any physical interface or the loopback interface on WS-6506-E, it is showing the error. But the same i could apply on VLAN interface. Can anyone explain me what is the issue..?
  6506(config)#interface loopback 3
  6506(config-if)#crypto map XXXX
  ERROR: Crypto Map configuration is not supported on the given interface
  Any hardware limitation?

  This was proven to break CEF in the past and is a bad design choice by default.
  Newer release do not allow you to configure this.
  If you're curious if it will work for you check releases prior to 15.x.
  M.

• Lose telnet capability after crypto map

  Hello,
  I have 2 DSL routers setup with a VPN tunnel between them. The VPN works fine. Before setting up the tunnel, I had telnet/SSH access. However, when I apply the crypto map to the Dialer interface, I lose the ability to telnet/SSH to the router. If I remove the VPN setup, I regain the ability to telnet/SSH.
  Any thoughts? I was wondering if the fact the Dialer interface is a logical interface is what is causing the problems?
  Thanks.
  Tony

  Here is the config. ACL 120 has permit ip any any but it is referenced by NAT not the Crypto. Crypto references ACL 130. I have seen it posted not to put any any in the Crypto ACLs, perhaps this applies to the NAT as well. I will try changing that one. Anyway, here is the config. Pretty straight-forward.
  sh run
  Building configuration...
  Current configuration : 2927 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Ashtabula
  boot-start-marker
  boot-end-marker
  enable secret 5
  no aaa new-model
  dot11 syslog
  ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 192.168.1.1 192.168.1.50
  ip dhcp pool Ash-dhcp
  network 192.168.1.0 255.255.255.0
  dns-server 166.x.x.11 166.102.165.13
  default-router 192.168.1.1
  lease 7
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  no ip domain lookup
  ip domain name Ashtabula.local
  ip name-server 166.102.165.11
  ip name-server 166.102.165.13
  vpdn enable
  username
  username
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key xxxxxxxx address xx.xx.xx.xx no-xauth
  crypto ipsec transform-set ToMead esp-3des esp-sha-hmac
  crypto map Meadville 10 ipsec-isakmp
  set peer xx.xx.xx.xx
  set transform-set ToMead
  match address 130
  archive
  log config
  hidekeys
  bridge irb
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  dsl operating-mode auto
  interface ATM0.1 point-to-point
  pvc 0/35
  pppoe-client dial-pool-number 1
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface Dot11Radio0
  no ip address
  shutdown
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  interface Vlan1
  description LAN
  ip address 192.168.1.1 255.255.255.0
  ip access-group 100 in
  ip nat inside
  ip virtual-reassembly
  ip tcp adjust-mss 1452
  bridge-group 10
  bridge-group 10 spanning-disabled
  interface Dialer0
  ip address yy.yy.yy.yy 255.255.255.252
  ip access-group 100 in
  ip mtu 1492
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  ip tcp adjust-mss 1452
  dialer pool 1
  dialer-group 1
  no cdp enable
  ppp authentication pap callin
  ppp pap sent-username xxxxxxx password 0 xxxxxxx
  ppp ipcp dns request
  ppp ipcp address accept
  crypto map Meadville
  interface Dialer1
  no ip address
  no cdp enable
  interface BVI10
  description Bridge to Internal Network
  no ip address
  ip virtual-reassembly
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer0
  ip route 192.168.1.0 255.255.255.0 Vlan1
  ip http server
  no ip http secure-server
  ip nat inside source list 120 interface Dialer0 overload
  access-list 1 permit 192.168.1.0 0.0.0.255
  access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
  access-list 120 permit ip any any
  access-list 130 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
  dialer-list 1 protocol ip permit
  no cdp run
  control-plane
  line con 0
  no modem enable
  line aux 0
  line vty 0 4
  password xxxxxxxxxx
  login local
  scheduler max-task-time 5000
  end

• Help with IPSEC? Can you apply crypto map to SVI?

  Hi All,
  Got a problem with a site-to-site IPSEC vpn implementation where one end is using SVI (eg: interface vlan 10).
  Does any body know if a crypto map can be applied to a SVI to bring up the IPSEC tunnel? It accepts the command but I can't pass any traffic to/from it.
  interface vlan 10
  crypto map MY-MAP
  Or do you need to apply the crypto map to a physical interface?
  I've gotten it working on a sub-interface (eg: interface GigabitEthernet0/0.11) but can't find any documentation that talks about applying it to a SVI and whether this will work. Anybody tried it using SVI's before?
  This is to be done on a Cisco 7606 (sup720).
  Thanks.
  Andy

  Hi Jerry,
  I'm not that cluey with all the hardware on the box itself, but here's what we have on the box.
  core1#sh ver
  Cisco Internetwork Operating System Software
  IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(18)SXF16, RELEASE SOFTWARE (fc2)
  cisco CISCO7606 (R7000) processor (revision 1.0) with 983008K/65536K bytes of memory.
  Processor board ID FOX092502NB
  SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
  Last reset from power-on
  SuperLAT software (copyright 1990 by Meridian Technology Corp).
  X.25 software, Version 3.0.0.
  Bridging software.
  TN3270 Emulation software.
  228 Virtual Ethernet/IEEE 802.3 interfaces
  124 Gigabit Ethernet/IEEE 802.3 interfaces
  4 Ten Gigabit Ethernet/IEEE 802.3 interfaces
  1917K bytes of non-volatile configuration memory.
  8192K bytes of packet buffer memory.
  65536K bytes of Flash internal SIMM (Sector size 512K).
  Configuration register is 0x2102
  core1#sh mod
  Mod Ports Card Type Model
  1 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX
  2 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX
  3 24 CEF720 24 port 1000mb SFP WS-X6724-SFP
  4 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE
  5 2 Supervisor Engine 720 (Active) WS-SUP720-3B
  6 2 Supervisor Engine 720 (Hot) WS-SUP720-3B
  Mod Sub-Module Model Hw Status
  1 Centralized Forwarding Card WS-F6700-CFC 4.0 Ok
  2 Centralized Forwarding Card WS-F6700-CFC 2.1 Ok
  3 Centralized Forwarding Card WS-F6700-CFC 4.0 Ok
  4 Centralized Forwarding Card WS-F6700-CFC 4.1 Ok
  5 Policy Feature Card 3 WS-F6K-PFC3B 2.1 Ok
  5 MSFC3 Daughterboard WS-SUP720 2.3 Ok
  6 Policy Feature Card 3 WS-F6K-PFC3B 2.3 Ok
  6 MSFC3 Daughterboard WS-SUP720 3.0 Ok
  Based on the specs above, is this box capable of establishing a IPSEC tunnel by applying the crypto map to the SVI???
  Thanks.
  Andy

• Site to Site VPN working without Crypto Map (ASA 8.2(1))

  Hi All,
  Found a strange situation on our ASA5540 firewall :
  We have couple Site to Site VPNs and also enable cleint VPN on the ASA, all are working fine. But found a Site to Site VPN is up and running without crypto map configuration. Is it possible ?
  I tried to clear isa sa and clear ipsec sa then the VPN came up again. Also tested it's pingable to remote site thru the VPN.
  I did see there is tunnel-group config for the VPN but didn't see any crypto map and ACL.
  How does Firewall know which traffic need be encrypted to this VPN tunnel without crypto map?
  Is it the bug ?
  Thanks in advance,

  It might be an easy vpn setup.
  Could you post a running config output remove any sensitive info.  This could help us answer your question more exactly.

• Crypto on loopback or wan interface

  hello,
  i have routers terminating vpn on both sides with the loopback ip address as peers.
  should i apply the crypto on the loopback interface or on the wan interface?
  Thanks.

  Hi,
  You apply the crypto map on the wan interface.
  Dont forget to identify the loopback interface as the source in you crypto-map
  crypto map mapname local-address loopback 0
  Please rate helpful post

• PING is unavailable after CRYPTO MAP on interface

  Hi guys,
  I have problem with ping to public IP of my router (Cisco 2801) I checked all my ACLs but only when I remove crypto map from interface PING is going well. 
  interface FastEthernet0/0
   description ---LAN---$FW_INSIDE$
   ip address 192.168.28.31 255.255.255.0
   ip access-group 103 in
   ip nat inside
   ip virtual-reassembly
   duplex auto
   speed auto
   no mop enabled
  interface FastEthernet0/1
   description ---WAN---$FW_OUTSIDE$$ES_LAN$
   ip address 109.68.238.175 255.255.255.224
   ip access-group 104 in
   no ip proxy-arp
   ip nat outside
   ip virtual-reassembly
   duplex auto
   speed 10 
   crypto map MAIN
   and crypto map MAIN 
  crypto map MAIN 1 ipsec-isakmp 
   description a1
   set peer 180.94.84.177
   set peer 180.94.84.181
   set transform-set a1 
   match address a1
  crypto map MAIN 2 ipsec-isakmp 
   description a2 
   set peer 67.159.45.250
   set transform-set a2 
   match address a2
  and ACLs for this MAIN crypto 
  ip access-list extended a1
   remark CCP_ACL Category=4
   permit ip host 192.168.28.31 host 10.150.82.43
   permit ip host 192.168.28.30 host 10.150.82.43
   permit ip host 192.168.28.31 host 10.150.82.73
   permit ip host 192.168.28.30 host 10.150.82.73
   permit icmp any any
  ip access-list extended a2
   remark CCP_ACL Category=20
   permit ip host 192.168.28.31 host 67.159.51.2
   permit ip host 192.168.28.30 host 67.159.51.2
   permit ip host 192.168.28.31 host 67.159.51.14
   permit ip host 192.168.28.30 host 67.159.51.14
   permit ip host 192.168.28.31 host 67.159.51.10
   permit ip host 192.168.28.30 host 67.159.51.10
   permit icmp any any
  ACL for inbound in WAN interface
  access-list 104 remark CCP_ACL Category=17
  access-list 104 permit udp host 180.94.84.177 host 109.68.238.175 eq non500-isakmp
  access-list 104 permit udp host 180.94.84.177 host 109.68.238.175 eq isakmp
  access-list 104 permit esp host 180.94.84.177 host 109.68.238.175
  access-list 104 permit ahp host 180.94.84.177 host 109.68.238.175
  access-list 104 permit ip host 67.159.51.10 host 192.168.28.30
  access-list 104 permit ip host 67.159.51.10 host 192.168.28.31
  access-list 104 permit ip host 67.159.51.14 host 192.168.28.30
  access-list 104 permit ip host 67.159.51.14 host 192.168.28.31
  access-list 104 permit ip host 67.159.51.2 host 192.168.28.30
  access-list 104 permit ip host 67.159.51.2 host 192.168.28.31
  access-list 104 permit udp host 180.94.84.181 host 109.68.238.175 eq non500-isakmp
  access-list 104 permit udp host 180.94.84.181 host 109.68.238.175 eq isakmp
  access-list 104 permit esp host 180.94.84.181 host 109.68.238.175
  access-list 104 permit ahp host 180.94.84.181 host 109.68.238.175
  access-list 104 permit ip host 10.150.82.73 host 192.168.28.30
  access-list 104 permit ip host 10.150.82.73 host 192.168.28.31
  access-list 104 permit ip host 10.150.82.43 host 192.168.28.30
  access-list 104 permit ip host 10.150.82.43 host 192.168.28.31
  access-list 104 permit udp host 67.159.45.250 host 109.68.238.175 eq non500-isakmp
  access-list 104 permit udp host 67.159.45.250 host 109.68.238.175 eq isakmp
  access-list 104 permit esp host 67.159.45.250 host 109.68.238.175
  access-list 104 permit ahp host 67.159.45.250 host 109.68.238.175
  access-list 104 permit icmp any any
  access-list 104 permit esp any host 67.159.45.250
  access-list 104 permit udp any host 67.159.45.250 eq non500-isakmp
  access-list 104 permit udp any host 67.159.45.250 eq isakmp
  access-list 104 permit ahp any host 67.159.45.250
  Please show me where is problem in my configs, I try to change my config several time but problem still exist 

  Nik
  As far as I know the technically correct answer to your question is Yes you can configure a crypto map on the inside interface. But it leads to a question of why would you want to do that? The function of the crypto map is to provide IPSec protection services to traffic passing through that interface. Why would you want IPSec on traffic going through your inside interface?
  I am also puzzled by the partial config that you posted. Why do you have the internal "private" network and the Internet reachable network as primary and secondary on the same interface?
  HTH
  Rick

• Can I enter crypto map command on an ethernet interface(LAN)

  Hi Friends,
  I am establishing VPN tunnel through Internet. I have the public address configured on Ethernet interface of router connecting the LAN. Can I bind the crypto map command to this inside interface and establish the VPN connectivity from this interface. Please help me providing the knowledge.

  your crypto map must be bound to outside interface.
  but you can chose which ip to use
  http://www.cisco.com/en/US/docs/ios/mwpdsn/command/reference/mwp_02.html#wp1014299
  [Pls RATE if HELPS]

• Which interface does "crypto map vpn" get assigned to?

  I'm setting up a site to site vpn and have been reading some examples, but my 871 uses a vlan so it confuses me a bit. Do I assign the statement crypto map vpn to the vlan1 interface or fe4 which is my WAN side.

  Sander
  If we knew more about your environment we might be able to give better answers. In general the crypto map is assigned to the outbound layer 3 interface. But I can not tell from your description whether fe4 or VLAN 1 is the outbound layer 3 interface. Does fe4 have an IP configured on it? If so then perhaps it is the outbound layer 3 interface and gets the crypto map. Or perhaps VLAN 1 is the outbound layer 3 interface and gets the crypto map.
  If this helps you figure it out that is good. Otherwise perhaps you can provide some clarification of the environment.
  HTH
  Rick
  Sent from Cisco Technical Support iPhone App

• Crypto Map on Tunnel interface

  hi guys, when i trying to apply crypto map on tunnel interface , debug is (
  crypto map is configured on tunnel interface.  Currently only GDOI crypto map is supported on tunnel interface )
  why i can't apply simple crypto map on tunnel interface? anyone knows?
  thanks

  This was proven to break CEF in the past and is a bad design choice by default.
  Newer release do not allow you to configure this.
  If you're curious if it will work for you check releases prior to 15.x.
  M.

• Rejecting IPSec tunnel: no matching crypto map entry for remote proxy on interface outside.

  Hi,
  I have read a problem where the VPN between an ISP and ourselves started dropping sessions. I have rebuilt the crypto map and tried to dig deeper into my config and some basic troubleshooting while I await the ISP to respond.
  Any ideas?
  Thanks Steve
  https://supportforums.cisco.com/thread/255085
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10
  5 Jun 13 15:46:25 713904 IP = 209.183.xxx.xxx, Received encrypted packet with no matching SA, dropping
  4 Jun 13 15:46:25 113019 Group = 209.183.xxx.xxx, Username = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
  3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Removing peer from correlator table failed, no match!
  3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, QM FSM error (P2 struct &0xda90f540, mess id 0x76c09eb7)!
  3 Jun 13 15:46:25 713061 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.240.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
  5 Jun 13 15:46:25 713119 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, PHASE 1 COMPLETED
  6 Jun 13 15:46:25 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 209.183.xxx.xxx
  6 Jun 13 15:46:25 713172 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

  Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
  If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
  access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
  Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
  nat (outside) 1 172.16.0.0 255.255.240.0

• [ERR]crypto map WARNING: This crypto map is incomplete

  i have PIX 501 ver6.3(5) when i setup VPN i get this error message
  WARNING:This crypto map is incomplete to remedy the situation add a peer and a valid access-list to this crypto map.
  although it seems fine in sh conf command
  but tunnel is not started
  when i review log i found
  sa_request,ISAKMP Phase 1 exchange started

  i could successfully establish VPN with another FW cisco 501 6.3
  but still can't fix my dilemma which i connect to Huawei Eudemon 500‎
  sh isakmp
  PIX Version 6.3(5)‎
  interface ethernet0 10full
  interface ethernet1 100full
  nameif ethernet0 outside security0‎
  nameif ethernet1 inside security100 ‎
  access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP1‎
  access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP2‎
  access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP1‎
  access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP2 ‎
  global (outside) 1 interface‎
  nat (inside) 0 access-list inside_outbound_nat0_acl
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ‎
  crypto ipsec security-association lifetime seconds 3600‎
  crypto map outside_map 100 ipsec-isakmp
  crypto map outside_map 100 match address outside_cryptomap_100‎
  crypto map outside_map 100 set peer remote peer
  crypto map outside_map 100 set transform-set ESP-3DES-SHA
  crypto map outside_map 100 set security-association lifetime seconds 3600 kilobytes 1843200‎
  crypto map outside_map interface outside
  isakmp enable outside
  ‎ ‎
  isakmp key ******** address remote peer netmask 255.255.255.255 no-xauth no-config-mode ‎
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption 3des
  isakmp policy 20 hash sha‎
  isakmp policy 20 group 2‎
  isakmp policy 20 lifetime 86400‎
  sh crypto map
  Crypto Map: "outside_map" interfaces: { outside }‎
  Crypto Map "outside_map" 100 ipsec-isakmp
  Peer = remote peer
  access-list outside_cryptomap_100; 2 elements‎
  access-list outside_cryptomap_100 line 1 permit ip host 10.102.0.11 host remote internal IP1 ‎‎(hitcnt=14) ‎
  access-list outside_cryptomap_100 line 2 permit ip host 10.102.0.11 host remote internal IP2 ‎‎(hitcnt=6) ‎
  Current peer: remote peer
  Security association lifetime: 1843200 kilobytes/3600 seconds‎
  PFS (Y/N): N
  Transform sets={ ESP-3DES-SHA, }‎
  Crypto Map: "set" interfaces: { }‎

• Internal Interface VPN access

  Ok, I have a question for everyone. I have an ASA 5510 that I want to do VPN testing on for users that remote into the system from home. What I am wanting to do is create a VPN connection on the internal interface so that I can test the connections and connectivity before I give it to them and find out it does not work when they get home. I have tried to set up using the ASDM Wizard to the internal interface and got all the way through the set up OK. Once I try to connect, using the Cisco Client, it will connect and authenticate fine, but will not remote to or ping anything on the network.
  Here are the settings that I am using:
  Remote Access
  Internal interface
  Cisco VPN Client Release 3.x or higher
  Authenticate via AAA server
  Address Pool name: test
  Address Pool Range: 192.168.1.1 - 192.168.1.5
  Address Pool Subnet Mask: 255.255.0.0
  Leaveing DNS and Wins server selections blank
  Using the default Encryption
  Internal access (NAT) with the exempt network of 192.168.0.0 /16 network, internal interface
  Split Tunneling is not enabled
  I can connect to the ASA fine, just cant get to the server with an address of 192.168.100.1.
  I tried manual entery of an ACL rule for ANY to ANY on the internal network and that made no difference at all.
  Any suggestions??
  -Jon

  Jon,
  Is  your crypto map #6  your  RA VPN tunnel ? if  so that  could be one of your problems,   if you're  running code  8.x and above nat-t is enabled by default, so you just need t remove that line  ( not crypto map_Outside_map 6 set nat-t disable )  and try accessing inside resources ,  if your asa is running 7.x codes  use  the command  above in  the link  previously provided in addition to  removing the line you have found in your crypoto map.   You should be fine removing it
  http://www.cisco.com/en/US/partner/docs/security/asa/asa83/command/reference/c5.html#wp2266389
  Regards

• IPSec VRF Aware (Crypto Map)

  Hello!
  I have some problem with configuring vrf aware Ipsec (Crypto Map).
  Any traffic (from subnet 10.6.6.248/29) do not pass trouth router, but if i run command "ping vrf inside 10.5.5.1 source gi 0/1.737" it working well.  
  Configuration below:
  ip vrf outside
   rd 1:1
  ip vrf inside
   rd 2:2
  track 10 ip sla 10 reachability
  ip sla schedule 10 life forever start-time now
  crypto keyring outside vrf outside 
    pre-shared-key address 10.10.10.100 key XXXXXX
  crypto isakmp policy 20
   encr aes 256
   authentication pre-share
   group 2
  crypto isakmp invalid-spi-recovery
  crypto isakmp keepalive 10 periodic
  crypto isakmp profile AS_outside
     vrf inside
     keyring outside
     match identity address 10.10.10.100 255.255.255.255 outside
     isakmp authorization list default
  crypto ipsec transform-set ESP-AESesp-aes 256 esp-sha-hmac 
   mode tunnel
  crypto ipsec df-bit clear
  crypto map outside 10 ipsec-isakmp 
   set peer 10.10.10.100
   set security-association idle-time 3600
   set transform-set ESP-AES 
   set pfs group2
   set isakmp-profile AS_outside
   match address inside_access
  ip route vrf inside 10.5.5.0 255.255.255.0 GigabitEthernet0/0.806 10.10.10.100 track 10
  ip access-list extended inside_access
   permit ip 10.6.6.248 0.0.0.7 10.5.5.0 0.0.0.255
  icmp-echo 10.10.10.100 source-interface GigabitEthernet0/0.806
   vrf outside
  interface GigabitEthernet0/0.806
  ip vrf forwarding outside
  ip address 10.10.10.101 255.255.255.0
  crypto-map outside
  interface GigabitEthernet0/1.737
  ip vrf forwarding inside
  ip address 10.6.6.252 255.255.255.248

  Hello Frank!
  >>  1. You may want to consider removing the "track 10" from your static route to eliminate any issues that this could be causing.
  I tried it before. Nothing changes.
  >> 2. If you teardown the tunnel, can the traffic from your end client (not the ping generated locally) cause the tunnel to build? If not, you may want to use netflow or ACL counters to verify that your packets are hitting the inside interface.
  It is also checked. netflow present counters and ACL counters not present. Source ip is 10.6.6.254/29.
  show command below:
  ISR-vpn-1#show ip cef vrf inside exact-route  10.6.6.254 10.5.5.1
   10.6.6.254  -> 10.5.5.1 => IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
  ISR-vpn-1#show ip cef vrf inside 10.24.1.0/24 internal                
  10.5.5.0/24, epoch 0, RIB[S], refcount 5, per-destination sharing
    sources: RIB 
    feature space:
     NetFlow: Origin AS 0, Peer AS 0, Mask Bits 24
    ifnums:
     GigabitEthernet0/0.806(24): 10.10.10.100
    path 22D160E8, path list 22AC27E8, share 1/1, type attached nexthop, for IPv4
    nexthop 10.10.10.100 GigabitEthernet0/0.806, adjacency IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
    output chain: IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)