Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

IPSec Tunnel Router Loopback to Pix outside int

In the process of setting up ipsec tunnels between 7206 (ios 12.3.x) and a remote Pix (6.3.3). I have been told conflicting things about the ability to terminate tunnels to a loopback. Ideally, we would terminate to a public ip on the remote pix's physical interface and to a loopback, with a public ip, on the 7206. Can anyone point me in the direction of good documentation on this subject? Does anyone know if it will work correctly?

Thanks in advance for any info you can provide.


  • Other Security Subjects
Cisco Employee

Re: IPSec Tunnel Router Loopback to Pix outside int

It works, no problem. The PIX crypto config should point to the loopback address on the router.

The router crypto config will look like this:

crypto map mymap local-address loopback0

crypto map mymap 10 ipsec-isakmp

   set peer

   set transform-set ....

   match address ....

The rest of the crypto config is standard.

The "local-address" command makes the router source all crypto packets from the loopback address, which is necessary because that's what the PIX is pointing to.

Put the crypto map on the OUTGOING router interface, NOT the loopback interface, and everything should be fine.