Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
922
Views
0
Helpful
2
Replies

Crypto Map on Inside interface

nkm
Level 1
Level 1

‎12-11-2007 12:33 AM - edited ‎03-09-2019 07:35 PM

I am assisting a client with their VPN setup, and just want to know if it's possible to apply a crypto map on the inside interface.

I have tried however I am unable to ping anything inside the private network.

The inside netwiork is as follows..

interface Vlan1

ip address xxx.xxx.xxx.xxx 255.255.255.192 secondary

ip address yyy.yyy.yyy.yyy 255.255.255.248

ip nat inside

ip virtual-reassembly

crypto map VPNMap

xxx - the internal 'private' network

yyy - Internet reachable IP address

To even ping from my network, I had to create a static router to the vlan1 interface, so as to trigger the encryption process.

I also have the following

ip nat inside source route-map nonat pool in-net overload

Where in-net is doing PAT for internal hosts wanting to connect to the Internet

When I ping from my network, to the xxx (vlan1 secondary IP address), it works OK, when I however try to ping anything inside the private xxx network, I get 50% packet loss (reply - no reply - reply etc).

I am wondering if what I am doing can actually work, or does a crypto map have to be applied to an 'nat outside' interface only?

Any ideas?

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎12-11-2007 01:07 PM

Nik

As far as I know the technically correct answer to your question is Yes you can configure a crypto map on the inside interface. But it leads to a question of why would you want to do that? The function of the crypto map is to provide IPSec protection services to traffic passing through that interface. Why would you want IPSec on traffic going through your inside interface?

I am also puzzled by the partial config that you posted. Why do you have the internal "private" network and the Internet reachable network as primary and secondary on the same interface?

HTH

Rick

HTH

Rick
0 Helpful

nkm
Level 1
Level 1
In response to Richard Burts

‎12-11-2007 10:16 PM

As I mentioned, I am assisting a customer, he insists that the WAN IP address can't be used, so I have to create a VPN with the routable (public) IP Address, which is on the internal interface.

0 Helpful
Customers Also Viewed These Support Documents