02-01-2005 03:57 AM
I wonder if it is possible to create a vpn tunnel between a cisco router using only one interface ? the same interface would lead to both external and internal networks, like reverse proxies for instance.
Of course the crypto map is configured on this unique interface.
All my attempts failed for the moment. It is only working when configuring one external interface with crypto map and one internal interface.
is there a way to make this works ?
Thank for your replies
Nabil
02-01-2005 10:40 AM
it works. on the remote router you have to set as a peer primary address. and, of course, you have to take care to access-lists!
02-17-2005 12:59 PM
Can I ask *why* you'd want to do this?
Also, if you can mention what wasn't working in your tests (where it was failing), maybe we can figure it out better...
02-21-2005 02:31 PM
Hi all,
I need to do this configuration because of my customer. He allows only one interface on a dedicated DMZ. Therefore i must configure the router to act as a reverse proxy.
In fact i need to set up a tunnel between a Checkpoint FW and the cisco router.
Additionaly, the cisco router has only one private address. Th Nat is performed by the customer internet firewall.
And the source adresses on my side have to be Nated to a private adress 172.31.x.x (PAT) before going to the tunnel.
FW VPN ---------------> Cust Int FW ---> VPN cisco
| ............................................|
| ............................................|
My Lan (encrypt.domain) Cust.LAN (encrypt.domain)
Since my first post i managed to make this works with a loopback interface and the "set ip next-hop" command : i re-route virtually the encrypted packets through the loopback, then it seems that the router acts as if it has two network interfaces.
But each time i make a change (New NAT, PAT, network address) for my tests (before setting-up definitly the VPN) i meet difficulties with ACLs (the one for the route-map, and the one for the crypto map)
The most frequent error message is (when i don't use any route-map): %CRYPTO-4-RECVD_PKT_NOT_IPSEC
I think that i don't clearly understand what to put on the ACLs and maybe the route-map solution is not the good one for my configuration.
My Crypto Acl contains :
access-list 100 permit esp public-ip_vpn-router public-ip_FW
access-list 100 permit esp public-ip_FW public-ip_vpn-router
access-list 100 permit esp private-ip_vpn-router public-ip_FW
access-list 100 permit esp public-ip_FW private-ip_vpn-router
access-list 100 permit ip PAT(of my LAN) Cust.LAN
access-list 100 permit ip Cust.LAN PAT(of my LAN)
access-list 100 deny ip any any
Interface loopback0
Ip adress 1.1.1.1 255.255.255.0
Interface fast-ethernet0
ip adress private-address
crypto map
ip policy route-map YYY
Route-map :
set ip next-hop 1.1.1.2
match ip list 120
ACL 120 (routemap)
access-list 120 permit ip PAT(of my LAN) Cust.LAN
access-list 120 permit ip Cust.LAN PAT(of my LAN)
What to you think about this config ?
Do you have a sample of config, or any ideas of the good configuration for make this works definitely ?
Thank you for your help
N.
02-22-2005 11:35 AM
Well it works great now !
The problem wa indeed the ACLs
Here is the solution :
For the ACL crypto map : just write one direction ACL entries (from the Lan behind the router ->to the checkpoint Lan in my case). And not esp flows, just flows which need to be encrypted
For the ACL route-map (for the loopback) : you must write the two direction (Lan behind the router <-> Lan behind the FW)
And all works great.
N.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: