Re: multiple crypto map on one serial interface on 2811 router

visteknetworking · ‎10-31-2008

Hi Experts,

I am running into some issue. I have site to site vpn which is running great. Now I am trying to configure remote access to my clients through vpn client.

The problem right now is that only one crypto map is supported per interface.

I understand that i need to create subinterface on my serial one but which ip address i can use since i have subnet 30 and no more external ip's are available for me

I hope my question is clear

thanks for your help

guibarati · ‎10-31-2008

Hi, you dont have to cnofigure a sub-interface. You need to configure, site-to-site and remote access VPN in the same crypto map.

The cripto map has orders... 10..20..30 until 65535, and they are processed from down to up number.

You need to configure a crypto dynamic map, and then tie this dynamic in the crypto map that is already in the interface.

Jon Marshall · ‎10-31-2008

in addition to previous post here is a link to a doc which covers configuring both site-to-site and VPN clients on the same router.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

Jon

visteknetworking · ‎10-31-2008

thanks guys for replies.

i did follow the link above and i can get in and even receive ip address , however no internet browsing nor browsing into my Lan

i guess i am missing something

Thanks again

Jon Marshall · ‎10-31-2008

Have a look at this link which covers the most common conenctivity problems for both site-to-site and remote access VPN's -

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Jon

visteknetworking · ‎11-03-2008

Hi,

thanks for the link still no luck with my dynamic vpn access

I still can't ping my Lan from VPN nor browse the internet here is my config.

please let me know what i am doing wrong

Thanks again

hostname myrouter

!

boot-start-marker

boot system flash c2800nm-advipservicesk9-mz.124-6.T2.bin

boot-end-marker

!

logging buffered 4096 debugging

enable secret 5

!

aaa new-model

!

aaa authentication login clientauth local

aaa authorization network groupauthor local

!

aaa session-id common

!

resource policy

!

clock timezone NewYork -7

!

voice-card 0

no dspfarm

!

username 1 privilege 15 secret 5 $1$INVD$TZsrqqtNTJx5FGNgDLKAG.

username 2 privilege 15 secret 5 $1$eLwX$vjRn0J6/HCwhfRU0jaRqE.

username 3 privilege 15 secret 5 $1$OPSY$k3d/vmDP1SUu5utDtHICb.

!

crypto keyring spokes

pre-shared-key address 0.0.0.0 0.0.0.0 key key12

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 15

encr 3des

authentication pre-share

group 2

crypto isakmp key key10 address 6.6.6.6

!

crypto isakmp client configuration group testgroup

key key12

dns 192.168.0.168

domain vi.us

pool ippool

crypto isakmp profile vpnclient

description vpn profiles

match identity group testgroup

client authentication list clientauth

isakmp authorization list groupauthor

client configuration address respond

!

crypto ipsec transform-set zuzu esp-des esp-md5-hmac

crypto ipsec transform-set myset esp-des esp-md5-hmac

!

crypto dynamic-map nolan 5

set transform-set myset

set isakmp-profile vpnclient

!

crypto map nolan 10 ipsec-isakmp dynamic nolan

crypto map nolan 15 ipsec-isakmp

set peer 6.6.6.6

set transform-set zuzu

match address 120

!

interface FastEthernet0/1

description LAN

ip address 192.168.0.1 255.255.255.0

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

!

interface Serial0/0/0

ip address 2.1.2.9 255.255.255.252

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

shutdown

!

interface Serial0/1/0

ip address 20.1.2.5 255.255.255.252

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

service-module t1 clock source internal

crypto map nolan

!

interface Vlan1

no ip address

!

router rip

passive-interface Serial0/1/0

network 192.168.168.0

network 192.168.200.0

!

ip local pool ippool 192.168.6.1 192.168.6.5

ip route 0.0.0.0 0.0.0.0 Serial0/1/0

ip route 192.168.0.0 255.255.255.0 FastEthernet0/1

ip route 192.168.6.0 255.255.255.0 Serial0/1/0

ip route 192.168.200.0 255.255.255.0 Serial0/1/0

!

ip flow-top-talkers

top 30

sort-by bytes

!

ip http server

no ip http secure-server

!

l

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.168.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip 20.1.2.5 0.0.0.3 host 6.6.6.6

access-list 120 permit ip 192.168.168.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 125 permit ip 192.168.168.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 130 deny ip 192.168.168.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 130 permit ip 192.168.0.0 0.0.0.255 any

!

route-map ISP2 permit 10

match ip address 130

match interface Serial0/0/0

!

route-map nonat permit 10

match ip address 130

match interface Serial0/1/0

!

control-plane

!

line con 0

line aux 0

line vty 0 4

access-class 3 in

!

no scheduler allocate

!

no inservice

!

end