PING is unavailable after CRYPTO MAP on interface

Similar Messages

• Lose telnet capability after crypto map

  Hello,
  I have 2 DSL routers setup with a VPN tunnel between them. The VPN works fine. Before setting up the tunnel, I had telnet/SSH access. However, when I apply the crypto map to the Dialer interface, I lose the ability to telnet/SSH to the router. If I remove the VPN setup, I regain the ability to telnet/SSH.
  Any thoughts? I was wondering if the fact the Dialer interface is a logical interface is what is causing the problems?
  Thanks.
  Tony

  Here is the config. ACL 120 has permit ip any any but it is referenced by NAT not the Crypto. Crypto references ACL 130. I have seen it posted not to put any any in the Crypto ACLs, perhaps this applies to the NAT as well. I will try changing that one. Anyway, here is the config. Pretty straight-forward.
  sh run
  Building configuration...
  Current configuration : 2927 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Ashtabula
  boot-start-marker
  boot-end-marker
  enable secret 5
  no aaa new-model
  dot11 syslog
  ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 192.168.1.1 192.168.1.50
  ip dhcp pool Ash-dhcp
  network 192.168.1.0 255.255.255.0
  dns-server 166.x.x.11 166.102.165.13
  default-router 192.168.1.1
  lease 7
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  no ip domain lookup
  ip domain name Ashtabula.local
  ip name-server 166.102.165.11
  ip name-server 166.102.165.13
  vpdn enable
  username
  username
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key xxxxxxxx address xx.xx.xx.xx no-xauth
  crypto ipsec transform-set ToMead esp-3des esp-sha-hmac
  crypto map Meadville 10 ipsec-isakmp
  set peer xx.xx.xx.xx
  set transform-set ToMead
  match address 130
  archive
  log config
  hidekeys
  bridge irb
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  dsl operating-mode auto
  interface ATM0.1 point-to-point
  pvc 0/35
  pppoe-client dial-pool-number 1
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface Dot11Radio0
  no ip address
  shutdown
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  interface Vlan1
  description LAN
  ip address 192.168.1.1 255.255.255.0
  ip access-group 100 in
  ip nat inside
  ip virtual-reassembly
  ip tcp adjust-mss 1452
  bridge-group 10
  bridge-group 10 spanning-disabled
  interface Dialer0
  ip address yy.yy.yy.yy 255.255.255.252
  ip access-group 100 in
  ip mtu 1492
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  ip tcp adjust-mss 1452
  dialer pool 1
  dialer-group 1
  no cdp enable
  ppp authentication pap callin
  ppp pap sent-username xxxxxxx password 0 xxxxxxx
  ppp ipcp dns request
  ppp ipcp address accept
  crypto map Meadville
  interface Dialer1
  no ip address
  no cdp enable
  interface BVI10
  description Bridge to Internal Network
  no ip address
  ip virtual-reassembly
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer0
  ip route 192.168.1.0 255.255.255.0 Vlan1
  ip http server
  no ip http secure-server
  ip nat inside source list 120 interface Dialer0 overload
  access-list 1 permit 192.168.1.0 0.0.0.255
  access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
  access-list 120 permit ip any any
  access-list 130 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
  dialer-list 1 protocol ip permit
  no cdp run
  control-plane
  line con 0
  no modem enable
  line aux 0
  line vty 0 4
  password xxxxxxxxxx
  login local
  scheduler max-task-time 5000
  end

• Multiple Crypto Maps on Single Outside Interface

  Hi, I had the following crypto map configured on my ASA5505 to allow Cisco IPSec VPN clients to connect from the outside:
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  I'm trying now to set up an additional crypto map - a static configuration to establish a tunnel with Windows Azure services. The configuration they gave me is:
  crypto map azure-crypto-map 10 match address azure-vpn-acl
  crypto map azure-crypto-map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
  crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set
  crypto map azure-crypto-map interface outside
  However, when I apply that configuration, my Cisco IPSec clients can no longer connect. I believe my problem is that last line:
  crypto map azure-crypto-map interface outside
  which blows away my original line:
  crypto map outside_map interface outside
  It seems I'm stuck with picking just one of the maps to apply to the outside interface. Is there a way to apply both of these maps to the outside interface to allow both IPSec tunnels to be created? We're running ASA version 8.4(7)3.

  Hi,
  You can use the same "crypto map"
  Just add
  crypto map outside_map 10 match address azure-vpn-acl
  crypto map outside_map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
  crypto map outside_map 10 set transform-set azure-ipsec-proposal-set
  Your dynamic VPN Clients will continue to work just fine as their "crypto map" statements are with the lowest priority/order in the "crypto map" configurations (65535) and the L2L VPN is higher (10)
  And what I mean with the above is that when a L2L VPN connections is formed from the remote end it will naturally match the L2L VPN configurations you have with "crypto map" configurations using the number "10". Then when a VPN Client connects it will naturally not match the number "10" specific configurations and will move to the next entry and will match it (65535)
  If you would happen to configure a new L2L VPN connection then you could give it the number "11" for example and everything would still be fine.
  Hope this helps
  - Jouni

• "Crypto map" to inside/internal interface. Possible?

  Hi, I have a two routers on a point to point VPN where the "Crypto Map" statement is assigned to the external interface as normal. This works fine but I need each router to present a different IP address to that of the external interface.
  For example:
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  lifetime 3600
  crypto isakmp key privatekey address 4.4.4.4 no-xauth
  crypto ipsec transform-set 3des esp-3des esp-sha-hmac
  crypto map VPN 1 ipsec-isakmp
  set peer 4.4.4.4
  set transform-set 3des
  match address vpn
  interface FastEthernet0/0
  ip address 4.4.4.4 255.255.255.252
  ip nat outside
  ip virtual-reassembly
  speed 10
  full-duplex
  no cdp enable
  crypto map VPN
  interface FastEthernet0/1
  ip address 8.8.8.8 255.255.255.248
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  Instead of the "4.4.4.4" being presented to the other side of the VPN, I need the 8.8.8.8 to be presented. I've tried just changing the Crypto statements as below but it still presents the 4.4.4.4 probably due to the interface the Crypto map is applied
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  lifetime 3600
  crypto isakmp key privatekey address 8.8.8.8 no-xauth
  crypto ipsec transform-set 3des esp-3des esp-sha-hmac
  crypto map VPN 1 ipsec-isakmp
  set peer 8.8.8.8
  set transform-set 3des
  match address vpn
  How can I make sure that 8.8.8.8 is what's presented at the other end?
  Thanks
  Andy

  Hi Andy,
  I would suggest the following command:
  crypto map local-address
  http://tools.cisco.com/squish/9c85B
  To specify and name an identifying interface to be used by the crypto map for IPSec traffic, use the crypto map local-address command in global configuration mode. To remove this command from the configuration, use the no form of this command.
  crypto map map-name local-address interface-id
  no crypto map map-name local-address
  Example:
  interface loopback0
       ip address 4.2.2.2 255.255.255.252
  crypto map mymap local-address loopback0
  interface S0
        crypto map mymap
  Of course you need to make sure the remote end can reach this additional IP address.
  Let me know if you have any questions.
  Please rate any post that you find useful.

• IPSec VRF Aware (Crypto Map)

  Hello!
  I have some problem with configuring vrf aware Ipsec (Crypto Map).
  Any traffic (from subnet 10.6.6.248/29) do not pass trouth router, but if i run command "ping vrf inside 10.5.5.1 source gi 0/1.737" it working well.  
  Configuration below:
  ip vrf outside
   rd 1:1
  ip vrf inside
   rd 2:2
  track 10 ip sla 10 reachability
  ip sla schedule 10 life forever start-time now
  crypto keyring outside vrf outside 
    pre-shared-key address 10.10.10.100 key XXXXXX
  crypto isakmp policy 20
   encr aes 256
   authentication pre-share
   group 2
  crypto isakmp invalid-spi-recovery
  crypto isakmp keepalive 10 periodic
  crypto isakmp profile AS_outside
     vrf inside
     keyring outside
     match identity address 10.10.10.100 255.255.255.255 outside
     isakmp authorization list default
  crypto ipsec transform-set ESP-AESesp-aes 256 esp-sha-hmac 
   mode tunnel
  crypto ipsec df-bit clear
  crypto map outside 10 ipsec-isakmp 
   set peer 10.10.10.100
   set security-association idle-time 3600
   set transform-set ESP-AES 
   set pfs group2
   set isakmp-profile AS_outside
   match address inside_access
  ip route vrf inside 10.5.5.0 255.255.255.0 GigabitEthernet0/0.806 10.10.10.100 track 10
  ip access-list extended inside_access
   permit ip 10.6.6.248 0.0.0.7 10.5.5.0 0.0.0.255
  icmp-echo 10.10.10.100 source-interface GigabitEthernet0/0.806
   vrf outside
  interface GigabitEthernet0/0.806
  ip vrf forwarding outside
  ip address 10.10.10.101 255.255.255.0
  crypto-map outside
  interface GigabitEthernet0/1.737
  ip vrf forwarding inside
  ip address 10.6.6.252 255.255.255.248

  Hello Frank!
  >>  1. You may want to consider removing the "track 10" from your static route to eliminate any issues that this could be causing.
  I tried it before. Nothing changes.
  >> 2. If you teardown the tunnel, can the traffic from your end client (not the ping generated locally) cause the tunnel to build? If not, you may want to use netflow or ACL counters to verify that your packets are hitting the inside interface.
  It is also checked. netflow present counters and ACL counters not present. Source ip is 10.6.6.254/29.
  show command below:
  ISR-vpn-1#show ip cef vrf inside exact-route  10.6.6.254 10.5.5.1
   10.6.6.254  -> 10.5.5.1 => IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
  ISR-vpn-1#show ip cef vrf inside 10.24.1.0/24 internal                
  10.5.5.0/24, epoch 0, RIB[S], refcount 5, per-destination sharing
    sources: RIB 
    feature space:
     NetFlow: Origin AS 0, Peer AS 0, Mask Bits 24
    ifnums:
     GigabitEthernet0/0.806(24): 10.10.10.100
    path 22D160E8, path list 22AC27E8, share 1/1, type attached nexthop, for IPv4
    nexthop 10.10.10.100 GigabitEthernet0/0.806, adjacency IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
    output chain: IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)

• [ERR]crypto map WARNING: This crypto map is incomplete

  i have PIX 501 ver6.3(5) when i setup VPN i get this error message
  WARNING:This crypto map is incomplete to remedy the situation add a peer and a valid access-list to this crypto map.
  although it seems fine in sh conf command
  but tunnel is not started
  when i review log i found
  sa_request,ISAKMP Phase 1 exchange started

  i could successfully establish VPN with another FW cisco 501 6.3
  but still can't fix my dilemma which i connect to Huawei Eudemon 500‎
  sh isakmp
  PIX Version 6.3(5)‎
  interface ethernet0 10full
  interface ethernet1 100full
  nameif ethernet0 outside security0‎
  nameif ethernet1 inside security100 ‎
  access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP1‎
  access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP2‎
  access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP1‎
  access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP2 ‎
  global (outside) 1 interface‎
  nat (inside) 0 access-list inside_outbound_nat0_acl
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ‎
  crypto ipsec security-association lifetime seconds 3600‎
  crypto map outside_map 100 ipsec-isakmp
  crypto map outside_map 100 match address outside_cryptomap_100‎
  crypto map outside_map 100 set peer remote peer
  crypto map outside_map 100 set transform-set ESP-3DES-SHA
  crypto map outside_map 100 set security-association lifetime seconds 3600 kilobytes 1843200‎
  crypto map outside_map interface outside
  isakmp enable outside
  ‎ ‎
  isakmp key ******** address remote peer netmask 255.255.255.255 no-xauth no-config-mode ‎
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption 3des
  isakmp policy 20 hash sha‎
  isakmp policy 20 group 2‎
  isakmp policy 20 lifetime 86400‎
  sh crypto map
  Crypto Map: "outside_map" interfaces: { outside }‎
  Crypto Map "outside_map" 100 ipsec-isakmp
  Peer = remote peer
  access-list outside_cryptomap_100; 2 elements‎
  access-list outside_cryptomap_100 line 1 permit ip host 10.102.0.11 host remote internal IP1 ‎‎(hitcnt=14) ‎
  access-list outside_cryptomap_100 line 2 permit ip host 10.102.0.11 host remote internal IP2 ‎‎(hitcnt=6) ‎
  Current peer: remote peer
  Security association lifetime: 1843200 kilobytes/3600 seconds‎
  PFS (Y/N): N
  Transform sets={ ESP-3DES-SHA, }‎
  Crypto Map: "set" interfaces: { }‎

• Crypto map entry is incomplete

  Hi
  This is my config below. The error i am recieving is crypto map entry is incomplete. Can someone please take a look and let me know.  Thank you
  ASA(config)# crypto map outside_map 1 match address outside_1_cryptomap
  WARNING: The crypto map entry is incomplete!
  ASA(config)# show run
  : Saved
  ASA Version 8.4(4)1
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.10.10.2 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  ftp mode passive
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network net-local
  subnet 10.10.10.20 255.255.255.0
  object network net-remote
  subnet 10.10.3.0 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 10.10.10.20 255.255.255.0 10.
  10.3.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (any,any) source static net-local net-local destination static net-remote ne
  t-remote
  object network obj_any
  nat (inside,outside) dynamic interface
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 96.145.68.82
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 10.10.10.22-10.10.10.231 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  tunnel-group 81.141.29.69 type ipsec-l2l
  tunnel-group 81.141.29.69 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:c2b7cdae5eb0961d822f634f2b36d3dc
  : end
  ASA(config)#

  Hi,
  You lack a "transform-set" configuration from the "crypto map" line.
  For example
  Create the IKEv1 Transform set
  crypto ipsec ikev1 transform-set AES esp-aes esp-sha-hmac
  and
  Use it in the VPN configuration
  crypto map outside_map 1 set ikev1 transform-set AES
  The values ofcourse depend on the your own preference
  Hope this helps
  - Jouni

• Crypto map question

  Hi
  If I have 2 crypto maps defined on my pix 506E. Traffic of my first crypto map goes for tunnel 1 & traffic of my second interface goes for tunnel2.
  I can't apply the command crypto map CCS interface outside & crypto map PLC interface outside.
  I am able to apply only one.
  How can I do to use both crypto maps?
  crypto ipsec transform-set my_PLC esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 86400
  crypto map PLC 30 ipsec-isakmp
  crypto map PLC 30 match address PLC
  crypto map PLC 30 set peer 10.10.10.1
  crypto map PLC 30 set transform-set my_PLC
  crypto map PLC interface outside
  isakmp key ******* address 10.10.10.1 netmask 255.255.255.255
  isakmp identity address
  isakmp policy 30 authentication pre-share
  isakmp policy 30 encryption 3des
  isakmp policy 30 hash md5
  isakmp policy 30 group 2
  isakmp policy 30 lifetime 86400
  crypto ipsec transform-set my_ccs esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 86400
  crypto map CCS 20 ipsec-isakmp
  crypto map CCS 20 match address CCS
  crypto map CCS 20 set peer 20.20.20.1
  crypto map CCS 20 set transform-set my_ccs
  crypto map CCS interface outside
  isakmp key ****** address 20.20.20.1 netmask 255.255.255.255
  isakmp identity address
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption 3des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400

  Hi
  You can only have one crypto map per interface but you can have separate entries within the same crypto map eg.
  crypto map CCS 20 ipsec-isakmp
  crypto map CCS 20 match address CCS
  crypto map CCS 20 set peer 20.20.20.1
  crypto map CCS 20 set transform-set my_ccs
  crypto map CCS 30 ipsec-isakmp
  crypto map CCS 30 match address PLC
  crypto map CCS 30 set peer 10.10.10.1
  crypto map CCS 30 set transform-set my_PLC
  crypto map CCS interface outside
  HTH
  Jon

• Crypto map incomplete

  I have PIX 515 and trying to add a gateway to gateway VPN tunnel with dynamic IP. I already have two other VPN tunnels configured with static IP. I enter the access-list 110 than the crypto map mymap 20 ipsec-isakmp no problem. than the crypto map mymap 20 match address 101 I get error message Crypto map incomplete. Why am I getting this error and how do I get around it. Thanks.

  Yes I have an Incomplete.
  crypto ipsec transform-set tr-set esp-des esp-md5-hmac
  crypto dynamic-map dynmap 10 set transform-set tr-set
  crypto dynamic-map dynmap 15 set transform-set tr-set
  crypto dynamic-map dynmap 15 set security-association lifetime seconds 3600 kilo
  bytes 4608000
  crypto map mymap 10 ipsec-isakmp
  crypto map mymap 10 match address 101
  crypto map mymap 10 set peer 70.106.123.11
  crypto map mymap 10 set transform-set tr-set
  crypto map mymap 15 ipsec-isakmp
  crypto map mymap 15 match address 105
  crypto map mymap 15 set peer 67.100.146.217
  crypto map mymap 15 set transform-set tr-set
  crypto map mymap 20 ipsec-isakmp
  ! Incomplete
  crypto map mymap 6335 ipsec-isakmp dynamic dynmap
  crypto map mymap interface outside

• Crypto map removing itself after reload

  Hello,
  I just set up my site tot site vpn with a pix box and a cisco 3745.
  The pix box is fine but the 3745 when ever I reload it the crypto map is not applied to the interface after the reload.

  Hello,
  I did issue a write memory.
  sh ver
  Cisco IOS Software, 3700 Software (C3745-ADVENTERPRISEK9-M), Version 12.4(25), R                                                                             ELEASE SOFTWARE (fc2)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2009 by Cisco Systems, Inc.
  Compiled Tue 21-Apr-09 14:41 by prod_rel_team
  ROM: System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1)
  FIBERJGX-3745-01 uptime is 3 hours, 49 minutes
  System returned to ROM by reload at 01:32:53 UTC Fri Jul 5 2013
  System restarted at 01:34:09 UTC Fri Jul 5 2013
  System image file is "slot0:c3745-adventerprisek9-mz.124-25.bin"
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected]
  Cisco 3745 (R7000) processor (revision 2.0) with 243712K/18432K bytes of memory.
  Processor board ID JMX0837L5AU
  R7000 CPU at 350MHz, Implementation 39, Rev 3.3, 256KB L2, 2048KB L3 Cache
  2 FastEthernet interfaces
  DRAM configuration is 64 bits wide with parity disabled.
  151K bytes of NVRAM.
  31360K bytes of ATA System CompactFlash (Read/Write)
  125952K bytes of ATA Slot0 CompactFlash (Read/Write)
  Configuration register is 0x2102

• Which interface does "crypto map vpn" get assigned to?

  I'm setting up a site to site vpn and have been reading some examples, but my 871 uses a vlan so it confuses me a bit. Do I assign the statement crypto map vpn to the vlan1 interface or fe4 which is my WAN side.

  Sander
  If we knew more about your environment we might be able to give better answers. In general the crypto map is assigned to the outbound layer 3 interface. But I can not tell from your description whether fe4 or VLAN 1 is the outbound layer 3 interface. Does fe4 have an IP configured on it? If so then perhaps it is the outbound layer 3 interface and gets the crypto map. Or perhaps VLAN 1 is the outbound layer 3 interface and gets the crypto map.
  If this helps you figure it out that is good. Otherwise perhaps you can provide some clarification of the environment.
  HTH
  Rick
  Sent from Cisco Technical Support iPhone App

• Crypto Map on Loopback interface or Physical Interface

  Dear All,
  When we try to apply the crypto map on any physical interface or the loopback interface on WS-6506-E, it is showing the error. But the same i could apply on VLAN interface. Can anyone explain me what is the issue..?
  6506(config)#interface loopback 3
  6506(config-if)#crypto map XXXX
  ERROR: Crypto Map configuration is not supported on the given interface
  Any hardware limitation?

  This was proven to break CEF in the past and is a bad design choice by default.
  Newer release do not allow you to configure this.
  If you're curious if it will work for you check releases prior to 15.x.
  M.

• Crypto Map on Tunnel interface

  hi guys, when i trying to apply crypto map on tunnel interface , debug is (
  crypto map is configured on tunnel interface.  Currently only GDOI crypto map is supported on tunnel interface )
  why i can't apply simple crypto map on tunnel interface? anyone knows?
  thanks

  This was proven to break CEF in the past and is a bad design choice by default.
  Newer release do not allow you to configure this.
  If you're curious if it will work for you check releases prior to 15.x.
  M.

• Can I enter crypto map command on an ethernet interface(LAN)

  Hi Friends,
  I am establishing VPN tunnel through Internet. I have the public address configured on Ethernet interface of router connecting the LAN. Can I bind the crypto map command to this inside interface and establish the VPN connectivity from this interface. Please help me providing the knowledge.

  your crypto map must be bound to outside interface.
  but you can chose which ip to use
  http://www.cisco.com/en/US/docs/ios/mwpdsn/command/reference/mwp_02.html#wp1014299
  [Pls RATE if HELPS]

• Rejecting IPSec tunnel: no matching crypto map entry for remote proxy on interface outside.

  Hi,
  I have read a problem where the VPN between an ISP and ourselves started dropping sessions. I have rebuilt the crypto map and tried to dig deeper into my config and some basic troubleshooting while I await the ISP to respond.
  Any ideas?
  Thanks Steve
  https://supportforums.cisco.com/thread/255085
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10
  5 Jun 13 15:46:25 713904 IP = 209.183.xxx.xxx, Received encrypted packet with no matching SA, dropping
  4 Jun 13 15:46:25 113019 Group = 209.183.xxx.xxx, Username = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
  3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Removing peer from correlator table failed, no match!
  3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, QM FSM error (P2 struct &0xda90f540, mess id 0x76c09eb7)!
  3 Jun 13 15:46:25 713061 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.240.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
  5 Jun 13 15:46:25 713119 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, PHASE 1 COMPLETED
  6 Jun 13 15:46:25 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 209.183.xxx.xxx
  6 Jun 13 15:46:25 713172 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

  Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
  If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
  access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
  Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
  nat (outside) 1 172.16.0.0 255.255.240.0