vpn tunnel on a 1712 router with only one interface

Unanswered Question
Feb 1st, 2005
User Badges:

I wonder if it is possible to create a vpn tunnel between a cisco router using only one interface ? the same interface would lead to both external and internal networks, like reverse proxies for instance.

Of course the crypto map is configured on this unique interface.

All my attempts failed for the moment. It is only working when configuring one external interface with crypto map and one internal interface.

is there a way to make this works ?

Thank for your replies


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
8dstaicu Tue, 02/01/2005 - 10:40
User Badges:

it works. on the remote router you have to set as a peer primary address. and, of course, you have to take care to access-lists!

Shawn Lebbon Thu, 02/17/2005 - 12:59
User Badges:

Can I ask *why* you'd want to do this?

Also, if you can mention what wasn't working in your tests (where it was failing), maybe we can figure it out better...

n.gmira Mon, 02/21/2005 - 14:31
User Badges:

Hi all,

I need to do this configuration because of my customer. He allows only one interface on a dedicated DMZ. Therefore i must configure the router to act as a reverse proxy.

In fact i need to set up a tunnel between a Checkpoint FW and the cisco router.

Additionaly, the cisco router has only one private address. Th Nat is performed by the customer internet firewall.

And the source adresses on my side have to be Nated to a private adress 172.31.x.x (PAT) before going to the tunnel.

FW VPN ---------------> Cust Int FW ---> VPN cisco

| ............................................|

| ............................................|

My Lan (encrypt.domain) Cust.LAN (encrypt.domain)

Since my first post i managed to make this works with a loopback interface and the "set ip next-hop" command : i re-route virtually the encrypted packets through the loopback, then it seems that the router acts as if it has two network interfaces.

But each time i make a change (New NAT, PAT, network address) for my tests (before setting-up definitly the VPN) i meet difficulties with ACLs (the one for the route-map, and the one for the crypto map)

The most frequent error message is (when i don't use any route-map): %CRYPTO-4-RECVD_PKT_NOT_IPSEC

I think that i don't clearly understand what to put on the ACLs and maybe the route-map solution is not the good one for my configuration.

My Crypto Acl contains :

access-list 100 permit esp public-ip_vpn-router public-ip_FW

access-list 100 permit esp public-ip_FW public-ip_vpn-router

access-list 100 permit esp private-ip_vpn-router public-ip_FW

access-list 100 permit esp public-ip_FW private-ip_vpn-router

access-list 100 permit ip PAT(of my LAN) Cust.LAN

access-list 100 permit ip Cust.LAN PAT(of my LAN)

access-list 100 deny ip any any

Interface loopback0

Ip adress

Interface fast-ethernet0

ip adress private-address

crypto map

ip policy route-map YYY

Route-map :

set ip next-hop

match ip list 120

ACL 120 (routemap)

access-list 120 permit ip PAT(of my LAN) Cust.LAN

access-list 120 permit ip Cust.LAN PAT(of my LAN)

What to you think about this config ?

Do you have a sample of config, or any ideas of the good configuration for make this works definitely ?

Thank you for your help


n.gmira Tue, 02/22/2005 - 11:35
User Badges:

Well it works great now !

The problem wa indeed the ACLs

Here is the solution :

For the ACL crypto map : just write one direction ACL entries (from the Lan behind the router ->to the checkpoint Lan in my case). And not esp flows, just flows which need to be encrypted

For the ACL route-map (for the loopback) : you must write the two direction (Lan behind the router <-> Lan behind the FW)

And all works great.



This Discussion