PING is unavailable after CRYPTO MAP on interface
Hi guys,
I have problem with ping to public IP of my router (Cisco 2801) I checked all my ACLs but only when I remove crypto map from interface PING is going well.
interface FastEthernet0/0
description ---LAN---$FW_INSIDE$
ip address 192.168.28.31 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1
description ---WAN---$FW_OUTSIDE$$ES_LAN$
ip address 109.68.238.175 255.255.255.224
ip access-group 104 in
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed 10
crypto map MAIN
and crypto map MAIN
crypto map MAIN 1 ipsec-isakmp
description a1
set peer 180.94.84.177
set peer 180.94.84.181
set transform-set a1
match address a1
crypto map MAIN 2 ipsec-isakmp
description a2
set peer 67.159.45.250
set transform-set a2
match address a2
and ACLs for this MAIN crypto
ip access-list extended a1
remark CCP_ACL Category=4
permit ip host 192.168.28.31 host 10.150.82.43
permit ip host 192.168.28.30 host 10.150.82.43
permit ip host 192.168.28.31 host 10.150.82.73
permit ip host 192.168.28.30 host 10.150.82.73
permit icmp any any
ip access-list extended a2
remark CCP_ACL Category=20
permit ip host 192.168.28.31 host 67.159.51.2
permit ip host 192.168.28.30 host 67.159.51.2
permit ip host 192.168.28.31 host 67.159.51.14
permit ip host 192.168.28.30 host 67.159.51.14
permit ip host 192.168.28.31 host 67.159.51.10
permit ip host 192.168.28.30 host 67.159.51.10
permit icmp any any
ACL for inbound in WAN interface
access-list 104 remark CCP_ACL Category=17
access-list 104 permit udp host 180.94.84.177 host 109.68.238.175 eq non500-isakmp
access-list 104 permit udp host 180.94.84.177 host 109.68.238.175 eq isakmp
access-list 104 permit esp host 180.94.84.177 host 109.68.238.175
access-list 104 permit ahp host 180.94.84.177 host 109.68.238.175
access-list 104 permit ip host 67.159.51.10 host 192.168.28.30
access-list 104 permit ip host 67.159.51.10 host 192.168.28.31
access-list 104 permit ip host 67.159.51.14 host 192.168.28.30
access-list 104 permit ip host 67.159.51.14 host 192.168.28.31
access-list 104 permit ip host 67.159.51.2 host 192.168.28.30
access-list 104 permit ip host 67.159.51.2 host 192.168.28.31
access-list 104 permit udp host 180.94.84.181 host 109.68.238.175 eq non500-isakmp
access-list 104 permit udp host 180.94.84.181 host 109.68.238.175 eq isakmp
access-list 104 permit esp host 180.94.84.181 host 109.68.238.175
access-list 104 permit ahp host 180.94.84.181 host 109.68.238.175
access-list 104 permit ip host 10.150.82.73 host 192.168.28.30
access-list 104 permit ip host 10.150.82.73 host 192.168.28.31
access-list 104 permit ip host 10.150.82.43 host 192.168.28.30
access-list 104 permit ip host 10.150.82.43 host 192.168.28.31
access-list 104 permit udp host 67.159.45.250 host 109.68.238.175 eq non500-isakmp
access-list 104 permit udp host 67.159.45.250 host 109.68.238.175 eq isakmp
access-list 104 permit esp host 67.159.45.250 host 109.68.238.175
access-list 104 permit ahp host 67.159.45.250 host 109.68.238.175
access-list 104 permit icmp any any
access-list 104 permit esp any host 67.159.45.250
access-list 104 permit udp any host 67.159.45.250 eq non500-isakmp
access-list 104 permit udp any host 67.159.45.250 eq isakmp
access-list 104 permit ahp any host 67.159.45.250
Please show me where is problem in my configs, I try to change my config several time but problem still exist
Nik
As far as I know the technically correct answer to your question is Yes you can configure a crypto map on the inside interface. But it leads to a question of why would you want to do that? The function of the crypto map is to provide IPSec protection services to traffic passing through that interface. Why would you want IPSec on traffic going through your inside interface?
I am also puzzled by the partial config that you posted. Why do you have the internal "private" network and the Internet reachable network as primary and secondary on the same interface?
HTH
Rick
Similar Messages
-
Lose telnet capability after crypto map
Hello,
I have 2 DSL routers setup with a VPN tunnel between them. The VPN works fine. Before setting up the tunnel, I had telnet/SSH access. However, when I apply the crypto map to the Dialer interface, I lose the ability to telnet/SSH to the router. If I remove the VPN setup, I regain the ability to telnet/SSH.
Any thoughts? I was wondering if the fact the Dialer interface is a logical interface is what is causing the problems?
Thanks.
TonyHere is the config. ACL 120 has permit ip any any but it is referenced by NAT not the Crypto. Crypto references ACL 130. I have seen it posted not to put any any in the Crypto ACLs, perhaps this applies to the NAT as well. I will try changing that one. Anyway, here is the config. Pretty straight-forward.
sh run
Building configuration...
Current configuration : 2927 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Ashtabula
boot-start-marker
boot-end-marker
enable secret 5
no aaa new-model
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp pool Ash-dhcp
network 192.168.1.0 255.255.255.0
dns-server 166.x.x.11 166.102.165.13
default-router 192.168.1.1
lease 7
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip domain lookup
ip domain name Ashtabula.local
ip name-server 166.102.165.11
ip name-server 166.102.165.13
vpdn enable
username
username
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address xx.xx.xx.xx no-xauth
crypto ipsec transform-set ToMead esp-3des esp-sha-hmac
crypto map Meadville 10 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set ToMead
match address 130
archive
log config
hidekeys
bridge irb
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Vlan1
description LAN
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 10
bridge-group 10 spanning-disabled
interface Dialer0
ip address yy.yy.yy.yy 255.255.255.252
ip access-group 100 in
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxxxx password 0 xxxxxxx
ppp ipcp dns request
ppp ipcp address accept
crypto map Meadville
interface Dialer1
no ip address
no cdp enable
interface BVI10
description Bridge to Internal Network
no ip address
ip virtual-reassembly
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 Vlan1
ip http server
no ip http secure-server
ip nat inside source list 120 interface Dialer0 overload
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 120 permit ip any any
access-list 130 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
password xxxxxxxxxx
login local
scheduler max-task-time 5000
end -
Multiple Crypto Maps on Single Outside Interface
Hi, I had the following crypto map configured on my ASA5505 to allow Cisco IPSec VPN clients to connect from the outside:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
I'm trying now to set up an additional crypto map - a static configuration to establish a tunnel with Windows Azure services. The configuration they gave me is:
crypto map azure-crypto-map 10 match address azure-vpn-acl
crypto map azure-crypto-map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set
crypto map azure-crypto-map interface outside
However, when I apply that configuration, my Cisco IPSec clients can no longer connect. I believe my problem is that last line:
crypto map azure-crypto-map interface outside
which blows away my original line:
crypto map outside_map interface outside
It seems I'm stuck with picking just one of the maps to apply to the outside interface. Is there a way to apply both of these maps to the outside interface to allow both IPSec tunnels to be created? We're running ASA version 8.4(7)3.Hi,
You can use the same "crypto map"
Just add
crypto map outside_map 10 match address azure-vpn-acl
crypto map outside_map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
crypto map outside_map 10 set transform-set azure-ipsec-proposal-set
Your dynamic VPN Clients will continue to work just fine as their "crypto map" statements are with the lowest priority/order in the "crypto map" configurations (65535) and the L2L VPN is higher (10)
And what I mean with the above is that when a L2L VPN connections is formed from the remote end it will naturally match the L2L VPN configurations you have with "crypto map" configurations using the number "10". Then when a VPN Client connects it will naturally not match the number "10" specific configurations and will move to the next entry and will match it (65535)
If you would happen to configure a new L2L VPN connection then you could give it the number "11" for example and everything would still be fine.
Hope this helps
- Jouni -
"Crypto map" to inside/internal interface. Possible?
Hi, I have a two routers on a point to point VPN where the "Crypto Map" statement is assigned to the external interface as normal. This works fine but I need each router to present a different IP address to that of the external interface.
For example:
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 3600
crypto isakmp key privatekey address 4.4.4.4 no-xauth
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
crypto map VPN 1 ipsec-isakmp
set peer 4.4.4.4
set transform-set 3des
match address vpn
interface FastEthernet0/0
ip address 4.4.4.4 255.255.255.252
ip nat outside
ip virtual-reassembly
speed 10
full-duplex
no cdp enable
crypto map VPN
interface FastEthernet0/1
ip address 8.8.8.8 255.255.255.248
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
Instead of the "4.4.4.4" being presented to the other side of the VPN, I need the 8.8.8.8 to be presented. I've tried just changing the Crypto statements as below but it still presents the 4.4.4.4 probably due to the interface the Crypto map is applied
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 3600
crypto isakmp key privatekey address 8.8.8.8 no-xauth
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
crypto map VPN 1 ipsec-isakmp
set peer 8.8.8.8
set transform-set 3des
match address vpn
How can I make sure that 8.8.8.8 is what's presented at the other end?
Thanks
AndyHi Andy,
I would suggest the following command:
crypto map local-address
http://tools.cisco.com/squish/9c85B
To specify and name an identifying interface to be used by the crypto map for IPSec traffic, use the crypto map local-address command in global configuration mode. To remove this command from the configuration, use the no form of this command.
crypto map map-name local-address interface-id
no crypto map map-name local-address
Example:
interface loopback0
ip address 4.2.2.2 255.255.255.252
crypto map mymap local-address loopback0
interface S0
crypto map mymap
Of course you need to make sure the remote end can reach this additional IP address.
Let me know if you have any questions.
Please rate any post that you find useful. -
IPSec VRF Aware (Crypto Map)
Hello!
I have some problem with configuring vrf aware Ipsec (Crypto Map).
Any traffic (from subnet 10.6.6.248/29) do not pass trouth router, but if i run command "ping vrf inside 10.5.5.1 source gi 0/1.737" it working well.
Configuration below:
ip vrf outside
rd 1:1
ip vrf inside
rd 2:2
track 10 ip sla 10 reachability
ip sla schedule 10 life forever start-time now
crypto keyring outside vrf outside
pre-shared-key address 10.10.10.100 key XXXXXX
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp profile AS_outside
vrf inside
keyring outside
match identity address 10.10.10.100 255.255.255.255 outside
isakmp authorization list default
crypto ipsec transform-set ESP-AESesp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
crypto map outside 10 ipsec-isakmp
set peer 10.10.10.100
set security-association idle-time 3600
set transform-set ESP-AES
set pfs group2
set isakmp-profile AS_outside
match address inside_access
ip route vrf inside 10.5.5.0 255.255.255.0 GigabitEthernet0/0.806 10.10.10.100 track 10
ip access-list extended inside_access
permit ip 10.6.6.248 0.0.0.7 10.5.5.0 0.0.0.255
icmp-echo 10.10.10.100 source-interface GigabitEthernet0/0.806
vrf outside
interface GigabitEthernet0/0.806
ip vrf forwarding outside
ip address 10.10.10.101 255.255.255.0
crypto-map outside
interface GigabitEthernet0/1.737
ip vrf forwarding inside
ip address 10.6.6.252 255.255.255.248Hello Frank!
>> 1. You may want to consider removing the "track 10" from your static route to eliminate any issues that this could be causing.
I tried it before. Nothing changes.
>> 2. If you teardown the tunnel, can the traffic from your end client (not the ping generated locally) cause the tunnel to build? If not, you may want to use netflow or ACL counters to verify that your packets are hitting the inside interface.
It is also checked. netflow present counters and ACL counters not present. Source ip is 10.6.6.254/29.
show command below:
ISR-vpn-1#show ip cef vrf inside exact-route 10.6.6.254 10.5.5.1
10.6.6.254 -> 10.5.5.1 => IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
ISR-vpn-1#show ip cef vrf inside 10.24.1.0/24 internal
10.5.5.0/24, epoch 0, RIB[S], refcount 5, per-destination sharing
sources: RIB
feature space:
NetFlow: Origin AS 0, Peer AS 0, Mask Bits 24
ifnums:
GigabitEthernet0/0.806(24): 10.10.10.100
path 22D160E8, path list 22AC27E8, share 1/1, type attached nexthop, for IPv4
nexthop 10.10.10.100 GigabitEthernet0/0.806, adjacency IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
output chain: IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete) -
[ERR]crypto map WARNING: This crypto map is incomplete
i have PIX 501 ver6.3(5) when i setup VPN i get this error message
WARNING:This crypto map is incomplete to remedy the situation add a peer and a valid access-list to this crypto map.
although it seems fine in sh conf command
but tunnel is not started
when i review log i found
sa_request,ISAKMP Phase 1 exchange startedi could successfully establish VPN with another FW cisco 501 6.3
but still can't fix my dilemma which i connect to Huawei Eudemon 500â
sh isakmp
PIX Version 6.3(5)â
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0â
nameif ethernet1 inside security100 â
access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP1â
access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP2â
access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP1â
access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP2 â
global (outside) 1 interfaceâ
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac â
crypto ipsec security-association lifetime seconds 3600â
crypto map outside_map 100 ipsec-isakmp
crypto map outside_map 100 match address outside_cryptomap_100â
crypto map outside_map 100 set peer remote peer
crypto map outside_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 100 set security-association lifetime seconds 3600 kilobytes 1843200â
crypto map outside_map interface outside
isakmp enable outside
â â
isakmp key ******** address remote peer netmask 255.255.255.255 no-xauth no-config-mode â
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash shaâ
isakmp policy 20 group 2â
isakmp policy 20 lifetime 86400â
sh crypto map
Crypto Map: "outside_map" interfaces: { outside }â
Crypto Map "outside_map" 100 ipsec-isakmp
Peer = remote peer
access-list outside_cryptomap_100; 2 elementsâ
access-list outside_cryptomap_100 line 1 permit ip host 10.102.0.11 host remote internal IP1 ââ(hitcnt=14) â
access-list outside_cryptomap_100 line 2 permit ip host 10.102.0.11 host remote internal IP2 ââ(hitcnt=6) â
Current peer: remote peer
Security association lifetime: 1843200 kilobytes/3600 secondsâ
PFS (Y/N): N
Transform sets={ ESP-3DES-SHA, }â
Crypto Map: "set" interfaces: { }â -
Crypto map entry is incomplete
Hi
This is my config below. The error i am recieving is crypto map entry is incomplete. Can someone please take a look and let me know. Thank you
ASA(config)# crypto map outside_map 1 match address outside_1_cryptomap
WARNING: The crypto map entry is incomplete!
ASA(config)# show run
: Saved
ASA Version 8.4(4)1
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network net-local
subnet 10.10.10.20 255.255.255.0
object network net-remote
subnet 10.10.3.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.10.20 255.255.255.0 10.
10.3.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (any,any) source static net-local net-local destination static net-remote ne
t-remote
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 96.145.68.82
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.10.22-10.10.10.231 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 81.141.29.69 type ipsec-l2l
tunnel-group 81.141.29.69 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c2b7cdae5eb0961d822f634f2b36d3dc
: end
ASA(config)#Hi,
You lack a "transform-set" configuration from the "crypto map" line.
For example
Create the IKEv1 Transform set
crypto ipsec ikev1 transform-set AES esp-aes esp-sha-hmac
and
Use it in the VPN configuration
crypto map outside_map 1 set ikev1 transform-set AES
The values ofcourse depend on the your own preference
Hope this helps
- Jouni -
Hi
If I have 2 crypto maps defined on my pix 506E. Traffic of my first crypto map goes for tunnel 1 & traffic of my second interface goes for tunnel2.
I can't apply the command crypto map CCS interface outside & crypto map PLC interface outside.
I am able to apply only one.
How can I do to use both crypto maps?
crypto ipsec transform-set my_PLC esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto map PLC 30 ipsec-isakmp
crypto map PLC 30 match address PLC
crypto map PLC 30 set peer 10.10.10.1
crypto map PLC 30 set transform-set my_PLC
crypto map PLC interface outside
isakmp key ******* address 10.10.10.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
crypto ipsec transform-set my_ccs esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto map CCS 20 ipsec-isakmp
crypto map CCS 20 match address CCS
crypto map CCS 20 set peer 20.20.20.1
crypto map CCS 20 set transform-set my_ccs
crypto map CCS interface outside
isakmp key ****** address 20.20.20.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400Hi
You can only have one crypto map per interface but you can have separate entries within the same crypto map eg.
crypto map CCS 20 ipsec-isakmp
crypto map CCS 20 match address CCS
crypto map CCS 20 set peer 20.20.20.1
crypto map CCS 20 set transform-set my_ccs
crypto map CCS 30 ipsec-isakmp
crypto map CCS 30 match address PLC
crypto map CCS 30 set peer 10.10.10.1
crypto map CCS 30 set transform-set my_PLC
crypto map CCS interface outside
HTH
Jon -
I have PIX 515 and trying to add a gateway to gateway VPN tunnel with dynamic IP. I already have two other VPN tunnels configured with static IP. I enter the access-list 110 than the crypto map mymap 20 ipsec-isakmp no problem. than the crypto map mymap 20 match address 101 I get error message Crypto map incomplete. Why am I getting this error and how do I get around it. Thanks.
Yes I have an Incomplete.
crypto ipsec transform-set tr-set esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set tr-set
crypto dynamic-map dynmap 15 set transform-set tr-set
crypto dynamic-map dynmap 15 set security-association lifetime seconds 3600 kilo
bytes 4608000
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set peer 70.106.123.11
crypto map mymap 10 set transform-set tr-set
crypto map mymap 15 ipsec-isakmp
crypto map mymap 15 match address 105
crypto map mymap 15 set peer 67.100.146.217
crypto map mymap 15 set transform-set tr-set
crypto map mymap 20 ipsec-isakmp
! Incomplete
crypto map mymap 6335 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside -
Crypto map removing itself after reload
Hello,
I just set up my site tot site vpn with a pix box and a cisco 3745.
The pix box is fine but the 3745 when ever I reload it the crypto map is not applied to the interface after the reload.Hello,
I did issue a write memory.
sh ver
Cisco IOS Software, 3700 Software (C3745-ADVENTERPRISEK9-M), Version 12.4(25), R ELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Tue 21-Apr-09 14:41 by prod_rel_team
ROM: System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1)
FIBERJGX-3745-01 uptime is 3 hours, 49 minutes
System returned to ROM by reload at 01:32:53 UTC Fri Jul 5 2013
System restarted at 01:34:09 UTC Fri Jul 5 2013
System image file is "slot0:c3745-adventerprisek9-mz.124-25.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected]
Cisco 3745 (R7000) processor (revision 2.0) with 243712K/18432K bytes of memory.
Processor board ID JMX0837L5AU
R7000 CPU at 350MHz, Implementation 39, Rev 3.3, 256KB L2, 2048KB L3 Cache
2 FastEthernet interfaces
DRAM configuration is 64 bits wide with parity disabled.
151K bytes of NVRAM.
31360K bytes of ATA System CompactFlash (Read/Write)
125952K bytes of ATA Slot0 CompactFlash (Read/Write)
Configuration register is 0x2102 -
Which interface does "crypto map vpn" get assigned to?
I'm setting up a site to site vpn and have been reading some examples, but my 871 uses a vlan so it confuses me a bit. Do I assign the statement crypto map vpn to the vlan1 interface or fe4 which is my WAN side.
Sander
If we knew more about your environment we might be able to give better answers. In general the crypto map is assigned to the outbound layer 3 interface. But I can not tell from your description whether fe4 or VLAN 1 is the outbound layer 3 interface. Does fe4 have an IP configured on it? If so then perhaps it is the outbound layer 3 interface and gets the crypto map. Or perhaps VLAN 1 is the outbound layer 3 interface and gets the crypto map.
If this helps you figure it out that is good. Otherwise perhaps you can provide some clarification of the environment.
HTH
Rick
Sent from Cisco Technical Support iPhone App -
Crypto Map on Loopback interface or Physical Interface
Dear All,
When we try to apply the crypto map on any physical interface or the loopback interface on WS-6506-E, it is showing the error. But the same i could apply on VLAN interface. Can anyone explain me what is the issue..?
6506(config)#interface loopback 3
6506(config-if)#crypto map XXXX
ERROR: Crypto Map configuration is not supported on the given interface
Any hardware limitation?This was proven to break CEF in the past and is a bad design choice by default.
Newer release do not allow you to configure this.
If you're curious if it will work for you check releases prior to 15.x.
M. -
Crypto Map on Tunnel interface
hi guys, when i trying to apply crypto map on tunnel interface , debug is (
crypto map is configured on tunnel interface. Currently only GDOI crypto map is supported on tunnel interface )
why i can't apply simple crypto map on tunnel interface? anyone knows?
thanksThis was proven to break CEF in the past and is a bad design choice by default.
Newer release do not allow you to configure this.
If you're curious if it will work for you check releases prior to 15.x.
M. -
Can I enter crypto map command on an ethernet interface(LAN)
Hi Friends,
I am establishing VPN tunnel through Internet. I have the public address configured on Ethernet interface of router connecting the LAN. Can I bind the crypto map command to this inside interface and establish the VPN connectivity from this interface. Please help me providing the knowledge.your crypto map must be bound to outside interface.
but you can chose which ip to use
http://www.cisco.com/en/US/docs/ios/mwpdsn/command/reference/mwp_02.html#wp1014299
[Pls RATE if HELPS] -
Hi,
I have read a problem where the VPN between an ISP and ourselves started dropping sessions. I have rebuilt the crypto map and tried to dig deeper into my config and some basic troubleshooting while I await the ISP to respond.
Any ideas?
Thanks Steve
https://supportforums.cisco.com/thread/255085
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10
5 Jun 13 15:46:25 713904 IP = 209.183.xxx.xxx, Received encrypted packet with no matching SA, dropping
4 Jun 13 15:46:25 113019 Group = 209.183.xxx.xxx, Username = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Removing peer from correlator table failed, no match!
3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, QM FSM error (P2 struct &0xda90f540, mess id 0x76c09eb7)!
3 Jun 13 15:46:25 713061 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.240.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
5 Jun 13 15:46:25 713119 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, PHASE 1 COMPLETED
6 Jun 13 15:46:25 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 209.183.xxx.xxx
6 Jun 13 15:46:25 713172 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT deviceAre you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
nat (outside) 1 172.16.0.0 255.255.240.0
Maybe you are looking for
-
Creative Cloud Desktop - running but no icon
The Creative Cloud Desktop application does not appear to be working for me anymore. It worked when I first installed it, and after the next 1 or 2 times I booted my machine, but it hasn't worked since. It appears the application is running (if I dro
-
Issue in Deploying application in Weblogic 10 3 3 + Oracle JRockit(R) R28.1
Hi I have Weblogic 10 3 3 with Oracle JRockit(R) R28.1.0-123-138454-1.6.0_20-20101014-1350-linux-ia32 as my JVM on my Linux box. When I deploy my application and starts it, app goes to New state and my Managed servers (on which I deploy my app) are f
-
Payment orders in f110 when instructions (fields DTWS*) are involved
Hi, hope you can help me to solve following issue: When i prepare payment orders in payment program ( F110 ) invoices that have differente instructions ( values in fields DTWS* in invoices ) are not grouped together for payment by the payment prog
-
How to configure the network on Sun Solaris 8
The Sun workstation is a license server, and Window NT workstation need to access the license file that located in the sun workstation. Now the Window NT workstation cannot connect with the sun solaris, and I guess that I need to configure the networ
-
Not sure what happened. I used to be able to go to a site and then click a link within that site and it would open. Now it won't, I added it to pop-page and still nothing so i am in blogger and try to "add a gndget" and the link will not open i was i