Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Crypto Map on Inside interface

I am assisting a client with their VPN setup, and just want to know if it's possible to apply a crypto map on the inside interface.

I have tried however I am unable to ping anything inside the private network.

The inside netwiork is as follows..

interface Vlan1

ip address secondary

ip address yyy.yyy.yyy.yyy

ip nat inside

ip virtual-reassembly

crypto map VPNMap

xxx - the internal 'private' network

yyy - Internet reachable IP address

To even ping from my network, I had to create a static router to the vlan1 interface, so as to trigger the encryption process.

I also have the following

ip nat inside source route-map nonat pool in-net overload

Where in-net is doing PAT for internal hosts wanting to connect to the Internet

When I ping from my network, to the xxx (vlan1 secondary IP address), it works OK, when I however try to ping anything inside the private xxx network, I get 50% packet loss (reply - no reply - reply etc).

I am wondering if what I am doing can actually work, or does a crypto map have to be applied to an 'nat outside' interface only?

Any ideas?

Hall of Fame Super Silver

Re: Crypto Map on Inside interface


As far as I know the technically correct answer to your question is Yes you can configure a crypto map on the inside interface. But it leads to a question of why would you want to do that? The function of the crypto map is to provide IPSec protection services to traffic passing through that interface. Why would you want IPSec on traffic going through your inside interface?

I am also puzzled by the partial config that you posted. Why do you have the internal "private" network and the Internet reachable network as primary and secondary on the same interface?



New Member

Re: Crypto Map on Inside interface

As I mentioned, I am assisting a customer, he insists that the WAN IP address can't be used, so I have to create a VPN with the routable (public) IP Address, which is on the internal interface.

CreatePlease login to create content