cisco 877 - crypto map problem

Answered Question

We have set up a L2L VPN between a cisco 877 and an ASA 5505.

On the 877 side we have :

dialer 0 : connect to internet and has a dynamic IP given by ISP

Loopback1 : has a static IP from the assigned Public IP range .

Vlan 1: has a static private IP for the LAN

FE3 : Interface conencted to lan


We have the following problem.


We have applied the crypto map to the Loopback interface and with this configuration we can reach the router's internal interface ( VLAN 1 IP ) from the ASA internal network , but other than that we cannot reach any host on the inside lan of the router.


If we apply the crypto map to the FE3 interface we can ping also the internal lan but we lose half the ping and the roundtrip is high ( 500-800 ms instead of 70-80 when applied only to Loopback 1 )


So I need help on this . What should be the correct configuration to have it all working fine ?

thanks in advance

Correct Answer by pepe__n about 7 years 2 months ago

In the first configuration (crypto-map applied on loopback interface) you can try this :


no ip cef (on Cisco 877)


Cef in many versions have problems similar from your's

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Mon, 04/19/2010 - 00:25
User Badges:
  • Cisco Employee,

Do you have "ip nat outside" on your loopback interface when the crypto map is applied, and configured ACL (NAT exemption) to deny traffic between internal subnet towards the ASA remote LAN?

Jennifer Halim Mon, 04/19/2010 - 00:37
User Badges:
  • Cisco Employee,

No, I mean the ACL that you assign to your NAT statement. Does it have a deny statement between your internal network towards the ASA remote LAN?

Jennifer Halim Mon, 04/19/2010 - 00:49
User Badges:
  • Cisco Employee,

No, don't remove the "ip nat outside" from Dialer0 interface. Noone can browse the internet if you do so.

no one should browse internet from this connection , it should only be used

as VPN to the main office .


As per the ACL

we have this ACL

access-list 130 deny   ip 192.168.110.0 0.0.0.255 10.80.5.0 0.0.0.255
access-list 130 deny   ip 192.168.110.0 0.0.0.255 192.168.80.0 0.0.0.255
access-list 130 permit ip 192.168.110.0 0.0.0.255 any


and this NAT

ip nat inside source list 130 interface loopback 1overload

Jennifer Halim Mon, 04/19/2010 - 01:04
User Badges:
  • Cisco Employee,

OK, so i assume 10.80.5.0/24 and 192.168.80.0/24 are your remote subnets. And 192.168.110.0/24 is your internal subnet.

Since you mentioned that this router is not used for Internet, then I assume that you have another device/router that serves the internet, hence, I believe your internal hosts' default gateway is not this vpn router.

You would need to route traffic towards 10.80.5.0/24 and 192.168.80.0/24 to this router internal interface (vlan 1 ip address).

Correct Answer
pepe__n Mon, 05/03/2010 - 23:23
User Badges:

In the first configuration (crypto-map applied on loopback interface) you can try this :


no ip cef (on Cisco 877)


Cef in many versions have problems similar from your's

Actions

This Discussion