According to the PIX VPN documentation, one can apply a crypto map to any interface, however the only examples given are the outside interface.
I have an environment where a number of individual customers each have their own virtual "inside" interfaces via vlans. They each would like to implement VPNs back their home networks, but I'd like to avoid having one large shared crypto map on the outside interface. The main reason for this is that the frequency of changes is likely to be high, and I don't want to have to impose outages on all customer VPNs for each change.
So I was thinking about having a per-customer crypto map applied to each of their virtual "inside" interfaces.
Any reason to avoid this strategy? I would assume you'd need to modify the acl_out to allow incoming ipsec/isakmp from the remote PIXes.
There are some problems with this approach. This first is simply that this would require using public address on each of the "private interfaces". While possible, it may be challanging to configure the routing with you ISP and properly subnet your address space.
Assuming you have a solution for this or all addresses are routed privately anyway, I am still not sure this works. I tried a similar configuration and was unsuccessful.
I seem to remember that it worked sometimes, but not others making the solution unreliable.
If I recall correctly, the crypto engine failed to catch the packets as they were effectively exiting the same interface as they arrived on which is not allowed by the pix.
This is difficult to get your head around, but I think the idea is the same as the reason why VPN connections from the software client could not access the Internet without split tunneling enabled. Internet traffic arriving through the VPN could not be forwarded back out the public interface to the Internet.
Having said all that, the VPN client issue has a work around in PIX OS 7, so maybe terminating VPNs on Internal interfaces would work as well.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :