I am assisting a client with their VPN setup, and just want to know if it's possible to apply a crypto map on the inside interface.
I have tried however I am unable to ping anything inside the private network.
The inside netwiork is as follows..
ip address xxx.xxx.xxx.xxx 255.255.255.192 secondary
ip address yyy.yyy.yyy.yyy 255.255.255.248
ip nat inside
crypto map VPNMap
xxx - the internal 'private' network
yyy - Internet reachable IP address
To even ping from my network, I had to create a static router to the vlan1 interface, so as to trigger the encryption process.
I also have the following
ip nat inside source route-map nonat pool in-net overload
Where in-net is doing PAT for internal hosts wanting to connect to the Internet
When I ping from my network, to the xxx (vlan1 secondary IP address), it works OK, when I however try to ping anything inside the private xxx network, I get 50% packet loss (reply - no reply - reply etc).
I am wondering if what I am doing can actually work, or does a crypto map have to be applied to an 'nat outside' interface only?
As far as I know the technically correct answer to your question is Yes you can configure a crypto map on the inside interface. But it leads to a question of why would you want to do that? The function of the crypto map is to provide IPSec protection services to traffic passing through that interface. Why would you want IPSec on traffic going through your inside interface?
I am also puzzled by the partial config that you posted. Why do you have the internal "private" network and the Internet reachable network as primary and secondary on the same interface?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :