Which interface does "crypto map vpn" get assigned to?

Similar Messages

• Crypto map VPN 270 set peer 12.2.3.4 12.5.6.7

  All
  A previously setup tunnel has (2) ip addresses defined in the crypto map. I was advised that one of the ip is no longer valid.
  Can i remove one of the ip's without losing the other?
  no crypto map VPN 270 set peer 12.2.3.4

  Yes you can.
  thanks

• Which client does the Integration imports get imported into?

  In all of the documentation it just says to import the appropriate imports, but into which client should they be imported, 000 or in our case 800 (IDES version of BW/BI 7) which is the client we will be connecting to BOE?
  Thanks!
  Ryan S.

  Bashir-
  Thanks for the reply.  My question is regarding the transports that need to be imported into your R/3, BW, ERP system so that it can connect with BOE.  The transports that are in the /Transports directory when the integration kit is unzipped.  I haven't seen any documentation on which client on my BW system these transports should be imported into.  Should it be 000 as they are cross-client type of things or do the transports need to be imported to the client you will be connecting to BOE?
  Ryan

• "Crypto map" to inside/internal interface. Possible?

  Hi, I have a two routers on a point to point VPN where the "Crypto Map" statement is assigned to the external interface as normal. This works fine but I need each router to present a different IP address to that of the external interface.
  For example:
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  lifetime 3600
  crypto isakmp key privatekey address 4.4.4.4 no-xauth
  crypto ipsec transform-set 3des esp-3des esp-sha-hmac
  crypto map VPN 1 ipsec-isakmp
  set peer 4.4.4.4
  set transform-set 3des
  match address vpn
  interface FastEthernet0/0
  ip address 4.4.4.4 255.255.255.252
  ip nat outside
  ip virtual-reassembly
  speed 10
  full-duplex
  no cdp enable
  crypto map VPN
  interface FastEthernet0/1
  ip address 8.8.8.8 255.255.255.248
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  Instead of the "4.4.4.4" being presented to the other side of the VPN, I need the 8.8.8.8 to be presented. I've tried just changing the Crypto statements as below but it still presents the 4.4.4.4 probably due to the interface the Crypto map is applied
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  lifetime 3600
  crypto isakmp key privatekey address 8.8.8.8 no-xauth
  crypto ipsec transform-set 3des esp-3des esp-sha-hmac
  crypto map VPN 1 ipsec-isakmp
  set peer 8.8.8.8
  set transform-set 3des
  match address vpn
  How can I make sure that 8.8.8.8 is what's presented at the other end?
  Thanks
  Andy

  Hi Andy,
  I would suggest the following command:
  crypto map local-address
  http://tools.cisco.com/squish/9c85B
  To specify and name an identifying interface to be used by the crypto map for IPSec traffic, use the crypto map local-address command in global configuration mode. To remove this command from the configuration, use the no form of this command.
  crypto map map-name local-address interface-id
  no crypto map map-name local-address
  Example:
  interface loopback0
       ip address 4.2.2.2 255.255.255.252
  crypto map mymap local-address loopback0
  interface S0
        crypto map mymap
  Of course you need to make sure the remote end can reach this additional IP address.
  Let me know if you have any questions.
  Please rate any post that you find useful.

• [ERR]crypto map WARNING: This crypto map is incomplete

  i have PIX 501 ver6.3(5) when i setup VPN i get this error message
  WARNING:This crypto map is incomplete to remedy the situation add a peer and a valid access-list to this crypto map.
  although it seems fine in sh conf command
  but tunnel is not started
  when i review log i found
  sa_request,ISAKMP Phase 1 exchange started

  i could successfully establish VPN with another FW cisco 501 6.3
  but still can't fix my dilemma which i connect to Huawei Eudemon 500‎
  sh isakmp
  PIX Version 6.3(5)‎
  interface ethernet0 10full
  interface ethernet1 100full
  nameif ethernet0 outside security0‎
  nameif ethernet1 inside security100 ‎
  access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP1‎
  access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP2‎
  access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP1‎
  access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP2 ‎
  global (outside) 1 interface‎
  nat (inside) 0 access-list inside_outbound_nat0_acl
  sysopt connection permit-ipsec
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ‎
  crypto ipsec security-association lifetime seconds 3600‎
  crypto map outside_map 100 ipsec-isakmp
  crypto map outside_map 100 match address outside_cryptomap_100‎
  crypto map outside_map 100 set peer remote peer
  crypto map outside_map 100 set transform-set ESP-3DES-SHA
  crypto map outside_map 100 set security-association lifetime seconds 3600 kilobytes 1843200‎
  crypto map outside_map interface outside
  isakmp enable outside
  ‎ ‎
  isakmp key ******** address remote peer netmask 255.255.255.255 no-xauth no-config-mode ‎
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption 3des
  isakmp policy 20 hash sha‎
  isakmp policy 20 group 2‎
  isakmp policy 20 lifetime 86400‎
  sh crypto map
  Crypto Map: "outside_map" interfaces: { outside }‎
  Crypto Map "outside_map" 100 ipsec-isakmp
  Peer = remote peer
  access-list outside_cryptomap_100; 2 elements‎
  access-list outside_cryptomap_100 line 1 permit ip host 10.102.0.11 host remote internal IP1 ‎‎(hitcnt=14) ‎
  access-list outside_cryptomap_100 line 2 permit ip host 10.102.0.11 host remote internal IP2 ‎‎(hitcnt=6) ‎
  Current peer: remote peer
  Security association lifetime: 1843200 kilobytes/3600 seconds‎
  PFS (Y/N): N
  Transform sets={ ESP-3DES-SHA, }‎
  Crypto Map: "set" interfaces: { }‎

• Converting crypto map to unnumbered VTI

  I'm trying to convert a crypto map VPN to a ip unnumbered VTI. The crypto map has been working for months. The VTI... no so much. Here are the applicable config entries.
  ### original config
  crypto isakmp policy 30
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key xxxxxxxx address 10.1.1.10
  crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
  crypto map CRYPTO 50 ipsec-isakmp
  set peer 10.1.1.10
  set transform-set 3DES-SHA
  set pfs group2
  match address VPN1
  ip access-list extended VPN1
  permit ip host 172.16.16.10 host 10.5.5.1
  permit ip host 172.16.16.10 host 10.5.5.4
  I only removed the crypto map and added the following.
  ### New Config
  crypto ipsec profile V1
  set security-association lifetime seconds 28800
  set transform-set 3DES-SHA
  set pfs group2
  interface Tunnel0
  ip unnumbered FastEthernet0/0
  ip nat outside
  ip virtual-reassembly
  tunnel source 172.16.8.1
  tunnel destination 10.1.1.10
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile V1
  I keep getting this ISAKMP error now.
  ISAKMP:(0:54:HW:2):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 10.1.1.10)
  Any help would be greatly appreciated. Also... I have no idea what is running on the other end (it's a partner network), but I suspect it's a crypto map on IOS.
  Thank you!

  Access-lists, FW (ZBF, CBAC) and all other features work on SVTI same way they would work on a physical or other logical interfaces (with very few exceptions). 

• One crypto map, different tunnel source addresses (secondary)

  Hi,
  I have two devices with two different (public) IP addresses (Cisco 2811 and Cisco 851), which both host some IPSec tunnels (IPSec/ESP/Tunnel mode). I want to move the 851's configuration to the 2811, and remove the 851 from the network. There is a crypto map assigned to the main outside interface of the 2811 with a few entries. The problem is that I cannot change any of the tunnel TEPs, so the IP address of the 851 must be moved onto the 2811 (as a secondary address). Is there anything I can do to use the secondary address as an IPSec tunnel source? Or do I have to do it using NAT and loopback interfaces?

  Source IP addresses for IKE for exchanges leaving out of the same physical interface, ie:
  crypto map to-peer_a 10 ipsec-isakmp
  set peer 10.1.3.1
  set local-address loopback1 <-- new command
  match address 100
  crypto map to-peer_a 20 ipsec-isakmp
  set peer 10.1.3.2
  set local-address loopback2 <-- new command
  match address 101
  Current code allows to specify a local-address for each crypto map only, and not on a per crypto map instance, as suggested above.

• Crypto map question

  Hi
  If I have 2 crypto maps defined on my pix 506E. Traffic of my first crypto map goes for tunnel 1 & traffic of my second interface goes for tunnel2.
  I can't apply the command crypto map CCS interface outside & crypto map PLC interface outside.
  I am able to apply only one.
  How can I do to use both crypto maps?
  crypto ipsec transform-set my_PLC esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 86400
  crypto map PLC 30 ipsec-isakmp
  crypto map PLC 30 match address PLC
  crypto map PLC 30 set peer 10.10.10.1
  crypto map PLC 30 set transform-set my_PLC
  crypto map PLC interface outside
  isakmp key ******* address 10.10.10.1 netmask 255.255.255.255
  isakmp identity address
  isakmp policy 30 authentication pre-share
  isakmp policy 30 encryption 3des
  isakmp policy 30 hash md5
  isakmp policy 30 group 2
  isakmp policy 30 lifetime 86400
  crypto ipsec transform-set my_ccs esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 86400
  crypto map CCS 20 ipsec-isakmp
  crypto map CCS 20 match address CCS
  crypto map CCS 20 set peer 20.20.20.1
  crypto map CCS 20 set transform-set my_ccs
  crypto map CCS interface outside
  isakmp key ****** address 20.20.20.1 netmask 255.255.255.255
  isakmp identity address
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption 3des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400

  Hi
  You can only have one crypto map per interface but you can have separate entries within the same crypto map eg.
  crypto map CCS 20 ipsec-isakmp
  crypto map CCS 20 match address CCS
  crypto map CCS 20 set peer 20.20.20.1
  crypto map CCS 20 set transform-set my_ccs
  crypto map CCS 30 ipsec-isakmp
  crypto map CCS 30 match address PLC
  crypto map CCS 30 set peer 10.10.10.1
  crypto map CCS 30 set transform-set my_PLC
  crypto map CCS interface outside
  HTH
  Jon

• Multiple Crypto Maps on Single Outside Interface

  Hi, I had the following crypto map configured on my ASA5505 to allow Cisco IPSec VPN clients to connect from the outside:
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  I'm trying now to set up an additional crypto map - a static configuration to establish a tunnel with Windows Azure services. The configuration they gave me is:
  crypto map azure-crypto-map 10 match address azure-vpn-acl
  crypto map azure-crypto-map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
  crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set
  crypto map azure-crypto-map interface outside
  However, when I apply that configuration, my Cisco IPSec clients can no longer connect. I believe my problem is that last line:
  crypto map azure-crypto-map interface outside
  which blows away my original line:
  crypto map outside_map interface outside
  It seems I'm stuck with picking just one of the maps to apply to the outside interface. Is there a way to apply both of these maps to the outside interface to allow both IPSec tunnels to be created? We're running ASA version 8.4(7)3.

  Hi,
  You can use the same "crypto map"
  Just add
  crypto map outside_map 10 match address azure-vpn-acl
  crypto map outside_map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
  crypto map outside_map 10 set transform-set azure-ipsec-proposal-set
  Your dynamic VPN Clients will continue to work just fine as their "crypto map" statements are with the lowest priority/order in the "crypto map" configurations (65535) and the L2L VPN is higher (10)
  And what I mean with the above is that when a L2L VPN connections is formed from the remote end it will naturally match the L2L VPN configurations you have with "crypto map" configurations using the number "10". Then when a VPN Client connects it will naturally not match the number "10" specific configurations and will move to the next entry and will match it (65535)
  If you would happen to configure a new L2L VPN connection then you could give it the number "11" for example and everything would still be fine.
  Hope this helps
  - Jouni

• Site to Site VPN working without Crypto Map (ASA 8.2(1))

  Hi All,
  Found a strange situation on our ASA5540 firewall :
  We have couple Site to Site VPNs and also enable cleint VPN on the ASA, all are working fine. But found a Site to Site VPN is up and running without crypto map configuration. Is it possible ?
  I tried to clear isa sa and clear ipsec sa then the VPN came up again. Also tested it's pingable to remote site thru the VPN.
  I did see there is tunnel-group config for the VPN but didn't see any crypto map and ACL.
  How does Firewall know which traffic need be encrypted to this VPN tunnel without crypto map?
  Is it the bug ?
  Thanks in advance,

  It might be an easy vpn setup.
  Could you post a running config output remove any sensitive info.  This could help us answer your question more exactly.

• Can I enter crypto map command on an ethernet interface(LAN)

  Hi Friends,
  I am establishing VPN tunnel through Internet. I have the public address configured on Ethernet interface of router connecting the LAN. Can I bind the crypto map command to this inside interface and establish the VPN connectivity from this interface. Please help me providing the knowledge.

  your crypto map must be bound to outside interface.
  but you can chose which ip to use
  http://www.cisco.com/en/US/docs/ios/mwpdsn/command/reference/mwp_02.html#wp1014299
  [Pls RATE if HELPS]

• Hollow stars.... itunes assigns an album average based on my star ratings, but in what scenario do Songs get assigned a hollow star? does itunes acquire info from other media programs or solely from what ive rated in itunes, orrr....

  Hollow stars.... itunes assigns an album average based on my star ratings, but in what scenario do Songs get assigned a hollow star? does itunes acquire info from other media programs or solely from what ive rated in itunes, or does itunes use other peoples ratings... Hollow Star assignment basis?

  If you assign songs a rating an unrated album gets an automatic rating, which you can override by rating it.
  If you assign an album a rating unrated songs get an automatic rating, which you can override by rating them.
  iTunes doesn't import ratings from tags, or third party services. You set them.
  You can't turn automatic ratings off.
  tt2

• Rejecting IPSec tunnel: no matching crypto map entry for remote proxy on interface outside.

  Hi,
  I have read a problem where the VPN between an ISP and ourselves started dropping sessions. I have rebuilt the crypto map and tried to dig deeper into my config and some basic troubleshooting while I await the ISP to respond.
  Any ideas?
  Thanks Steve
  https://supportforums.cisco.com/thread/255085
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10
  5 Jun 13 15:46:25 713904 IP = 209.183.xxx.xxx, Received encrypted packet with no matching SA, dropping
  4 Jun 13 15:46:25 113019 Group = 209.183.xxx.xxx, Username = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
  3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Removing peer from correlator table failed, no match!
  3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, QM FSM error (P2 struct &0xda90f540, mess id 0x76c09eb7)!
  3 Jun 13 15:46:25 713061 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.240.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
  5 Jun 13 15:46:25 713119 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, PHASE 1 COMPLETED
  6 Jun 13 15:46:25 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 209.183.xxx.xxx
  6 Jun 13 15:46:25 713172 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

  Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
  If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
  access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
  Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
  nat (outside) 1 172.16.0.0 255.255.240.0

• Latest update of Muse is not installing on several tries,installation gets stuck at 43% and shows '' waiting'' at the  ''Extracting''  stage for 7-8 hours after which it does not progress

  latest update of Muse is not installing on several tries,installation gets stuck at 43% and shows '' waiting'' at the  ''Extracting''  stage for 7-8 hours after which it does not progress.

  Refer to EX11....
  Creative Cloud Error Codes (WIP) | Mylenium's Error Code Database
  Mylenium

• Crypto Map on Loopback interface or Physical Interface

  Dear All,
  When we try to apply the crypto map on any physical interface or the loopback interface on WS-6506-E, it is showing the error. But the same i could apply on VLAN interface. Can anyone explain me what is the issue..?
  6506(config)#interface loopback 3
  6506(config-if)#crypto map XXXX
  ERROR: Crypto Map configuration is not supported on the given interface
  Any hardware limitation?

  This was proven to break CEF in the past and is a bad design choice by default.
  Newer release do not allow you to configure this.
  If you're curious if it will work for you check releases prior to 15.x.
  M.