Solved: cisco 877 - crypto map problem

s_colombo · ‎04-19-2010

We have set up a L2L VPN between a cisco 877 and an ASA 5505.

On the 877 side we have :

dialer 0 : connect to internet and has a dynamic IP given by ISP

Loopback1 : has a static IP from the assigned Public IP range .

Vlan 1: has a static private IP for the LAN

FE3 : Interface conencted to lan

We have the following problem.

We have applied the crypto map to the Loopback interface and with this configuration we can reach the router's internal interface ( VLAN 1 IP ) from the ASA internal network , but other than that we cannot reach any host on the inside lan of the router.

If we apply the crypto map to the FE3 interface we can ping also the internal lan but we lose half the ping and the roundtrip is high ( 500-800 ms instead of 70-80 when applied only to Loopback 1 )

So I need help on this . What should be the correct configuration to have it all working fine ?

thanks in advance

pepe__n · ‎05-03-2010

In the first configuration (crypto-map applied on loopback interface) you can try this :

no ip cef (on Cisco 877)

Cef in many versions have problems similar from your's

View solution in original post

Jennifer Halim · ‎04-19-2010

Do you have "ip nat outside" on your loopback interface when the crypto map is applied, and configured ACL (NAT exemption) to deny traffic between internal subnet towards the ASA remote LAN?

s_colombo · ‎04-19-2010

Hi ,

yes I have IP NAT OUTSIDE on the lo interface .

Regarding ACL I have an ACL on the crypto map to identify the interesting traffic , do you mean that or another ACL directly applied to the lo interface ?

can you provide an example ?

thanks

Jennifer Halim · ‎04-19-2010

No, I mean the ACL that you assign to your NAT statement. Does it have a deny statement between your internal network towards the ASA remote LAN?

s_colombo · ‎04-19-2010

I'm checking , meanwhile I noticed that there's also an IP NAT outside on the dialer 0

interface . Should I remove it or it won't affect the problem ?

thanks

Jennifer Halim · ‎04-19-2010

No, don't remove the "ip nat outside" from Dialer0 interface. Noone can browse the internet if you do so.

s_colombo · ‎04-19-2010

no one should browse internet from this connection , it should only be used

as VPN to the main office .

As per the ACL

we have this ACL

access-list 130 deny ip 192.168.110.0 0.0.0.255 10.80.5.0 0.0.0.255
access-list 130 deny ip 192.168.110.0 0.0.0.255 192.168.80.0 0.0.0.255
access-list 130 permit ip 192.168.110.0 0.0.0.255 any

and this NAT

ip nat inside source list 130 interface loopback 1overload

Jennifer Halim · ‎04-19-2010

OK, so i assume 10.80.5.0/24 and 192.168.80.0/24 are your remote subnets. And 192.168.110.0/24 is your internal subnet.

Since you mentioned that this router is not used for Internet, then I assume that you have another device/router that serves the internet, hence, I believe your internal hosts' default gateway is not this vpn router.

You would need to route traffic towards 10.80.5.0/24 and 192.168.80.0/24 to this router internal interface (vlan 1 ip address).

s_colombo · ‎04-19-2010

on the internal host there's a static route for network 10.80.5.0

pepe__n · ‎05-03-2010

In the first configuration (crypto-map applied on loopback interface) you can try this :

no ip cef (on Cisco 877)

Cef in many versions have problems similar from your's

s_colombo · ‎05-06-2010

Pepe_n ,

thanks so much for your help.

It was exactly my case, disabling IP CEF worked fine

best regards