Crypto Map on Inside interface

Unanswered Question
Dec 11th, 2007
User Badges:

I am assisting a client with their VPN setup, and just want to know if it's possible to apply a crypto map on the inside interface.

I have tried however I am unable to ping anything inside the private network.

The inside netwiork is as follows..

interface Vlan1

ip address secondary

ip address yyy.yyy.yyy.yyy

ip nat inside

ip virtual-reassembly

crypto map VPNMap

xxx - the internal 'private' network

yyy - Internet reachable IP address

To even ping from my network, I had to create a static router to the vlan1 interface, so as to trigger the encryption process.

I also have the following

ip nat inside source route-map nonat pool in-net overload

Where in-net is doing PAT for internal hosts wanting to connect to the Internet

When I ping from my network, to the xxx (vlan1 secondary IP address), it works OK, when I however try to ping anything inside the private xxx network, I get 50% packet loss (reply - no reply - reply etc).

I am wondering if what I am doing can actually work, or does a crypto map have to be applied to an 'nat outside' interface only?

Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Tue, 12/11/2007 - 13:07
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


As far as I know the technically correct answer to your question is Yes you can configure a crypto map on the inside interface. But it leads to a question of why would you want to do that? The function of the crypto map is to provide IPSec protection services to traffic passing through that interface. Why would you want IPSec on traffic going through your inside interface?

I am also puzzled by the partial config that you posted. Why do you have the internal "private" network and the Internet reachable network as primary and secondary on the same interface?



nkm Tue, 12/11/2007 - 22:16
User Badges:

As I mentioned, I am assisting a customer, he insists that the WAN IP address can't be used, so I have to create a VPN with the routable (public) IP Address, which is on the internal interface.


This Discussion