Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

cisco 877 - crypto map problem

We have set up a L2L VPN between a cisco 877 and an ASA 5505.

On the 877 side we have :

dialer 0 : connect to internet and has a dynamic IP given by ISP

Loopback1 : has a static IP from the assigned Public IP range .

Vlan 1: has a static private IP for the LAN

FE3 : Interface conencted to lan

We have the following problem.

We have applied the crypto map to the Loopback interface and with this configuration we can reach the router's internal interface ( VLAN 1 IP ) from the ASA internal network , but other than that we cannot reach any host on the inside lan of the router.

If we apply the crypto map to the FE3 interface we can ping also the internal lan but we lose half the ping and the roundtrip is high ( 500-800 ms instead of 70-80 when applied only to Loopback 1 )

So I need help on this . What should be the correct configuration to have it all working fine ?

thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: cisco 877 - crypto map problem

In the first configuration (crypto-map applied on loopback interface) you can try this :

no ip cef (on Cisco 877)

Cef in many versions have problems similar from your's

10 REPLIES
Cisco Employee

Re: cisco 877 - crypto map problem

Do you have "ip nat outside" on your loopback interface when the crypto map is applied, and configured ACL (NAT exemption) to deny traffic between internal subnet towards the ASA remote LAN?

New Member

Re: cisco 877 - crypto map problem

Hi ,

yes I have IP NAT OUTSIDE on the lo interface .

Regarding ACL I have an ACL on the crypto map to identify the interesting traffic , do you mean that or another ACL directly applied to the lo interface ?

can you provide an example ?

thanks

Cisco Employee

Re: cisco 877 - crypto map problem

No, I mean the ACL that you assign to your NAT statement. Does it have a deny statement between your internal network towards the ASA remote LAN?

New Member

Re: cisco 877 - crypto map problem

I'm checking , meanwhile I noticed that there's also an IP NAT outside on the dialer 0

interface . Should I remove it or it won't affect the problem ?

thanks

Cisco Employee

Re: cisco 877 - crypto map problem

No, don't remove the "ip nat outside" from Dialer0 interface. Noone can browse the internet if you do so.

New Member

Re: cisco 877 - crypto map problem

no one should browse internet from this connection , it should only be used

as VPN to the main office .

As per the ACL

we have this ACL

access-list 130 deny   ip 192.168.110.0 0.0.0.255 10.80.5.0 0.0.0.255
access-list 130 deny   ip 192.168.110.0 0.0.0.255 192.168.80.0 0.0.0.255
access-list 130 permit ip 192.168.110.0 0.0.0.255 any

and this NAT

ip nat inside source list 130 interface loopback 1overload

Cisco Employee

Re: cisco 877 - crypto map problem

OK, so i assume 10.80.5.0/24 and 192.168.80.0/24 are your remote subnets. And 192.168.110.0/24 is your internal subnet.

Since you mentioned that this router is not used for Internet, then I assume that you have another device/router that serves the internet, hence, I believe your internal hosts' default gateway is not this vpn router.

You would need to route traffic towards 10.80.5.0/24 and 192.168.80.0/24 to this router internal interface (vlan 1 ip address).

New Member

Re: cisco 877 - crypto map problem

on the internal host there's a static route for network 10.80.5.0

New Member

Re: cisco 877 - crypto map problem

In the first configuration (crypto-map applied on loopback interface) you can try this :

no ip cef (on Cisco 877)

Cef in many versions have problems similar from your's

New Member

Re: cisco 877 - crypto map problem

Pepe_n ,

thanks so much for your help.

It was exactly my case, disabling IP CEF worked fine

best regards

974
Views
0
Helpful
10
Replies
CreatePlease to create content