08-31-2007 03:15 AM
Hi,
The following is the config from one of our 2811 router, we applied crypto on loopback interface but its not working. Can you review the cofig and let us know the suggesstion as where else we can apply crypto MAP to VPN to work.
site#sh run
Building configuration...
Current configuration : 5956 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Site
!
boot-start-marker
boot-end-marker
!
enable secret cisco
!
no aaa new-model
!
resource policy
!
memory-size iomem 25
clock timezone EST -5
clock summer-time EDT recurring
no network-clock-participate wic 2
no network-clock-participate wic 3
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
!
controller T1 0/2/0
framing esf
linecode b8zs
cablelength short 133
channel-group 0 timeslots 1-24
!
controller T1 0/2/1
framing esf
linecode b8zs
cablelength short 133
channel-group 0 timeslots 1-24
!
controller T1 0/3/0
framing esf
linecode b8zs
cablelength short 133
channel-group 0 timeslots 1-24
!
controller T1 0/3/1
framing esf
linecode b8zs
cablelength short 133
channel-group 0 timeslots 1-24
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key wsld0829 address 66.78.246.175
!
!
crypto ipsec transform-set rtpset esp-3des esp-md5-hmac
!
crypto map rtp 10 ipsec-isakmp
set peer 66.78.246.175
set transform-set rtpset
match address 110
!
!
!
interface Loopback0
description **** IP Address of Multilink Serial Lines ****
ip address 168.88.110.200 255.255.255.252
crypto map rtp
!
interface Serial0/0/0
description **** To Sprint HCGS/987682//LB ****
no ip address
encapsulation ppp
no fair-queue
pulse-time 1
ppp multilink
crypto map rtp
!
interface Serial0/1/0
description **** To Sprint HCGS/987683//LB ****
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
encapsulation ppp
no fair-queue
pulse-time 1
ppp multilink
!
interface Serial0/2/0:0
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
encapsulation ppp
no fair-queue
pulse-time 1
ppp multilink
crypto map rtp
!
interface Serial0/2/1:0
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
encapsulation ppp
no fair-queue
pulse-time 1
ppp multilink
crypto map rtp
!
interface Serial0/3/0:0
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
encapsulation ppp
shutdown
no fair-queue
pulse-time 1
ppp multilink
!
interface Serial0/3/1:0
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
encapsulation ppp
shutdown
no fair-queue
pulse-time 1
ppp multilink
!
interface Virtual-Template1
ip unnumbered Loopback0
ppp multilink
!
ip classless
ip route 0.0.0.0 0.0.0.0 160.81.110.209
ip route 200.3.201.0 255.255.255.0 207.40.33.100
ip route 203.13.189.0 255.255.255.0 207.40.33.100
!
ip http server
no ip http secure-server
!
access-list 110 remark Tunnel ACL
access-list 110 remark Allowing router loopback
access-list 110 permit ip host 168.88.110.200 67.210.111.204 0.0.0.15
access-list 110 remark Allowing IP3
access-list 110 permit ip host 207.41.32.106 65.210.126.240 0.0.0.15
access-list 110 remark Allowing devices
access-list 110 permit ip 208.3.187.0 0.0.0.15 65.210.126.240 0.0.0.15
access-list 110 permit ip 208.3.187.16 0.0.0.7 65.210.126.240 0.0.0.15
access-list 110 permit ip 208.3.187.24 0.0.0.1 65.210.126.240 0.0.0.15
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login local
!
end
Your suggestion will be highly appreciated.
Regards,
khan
Solved! Go to Solution.
09-04-2007 02:31 AM
Please help me..
09-04-2007 03:26 AM
Jerry,
Its working now after i rebooted the router...
Thanks you ver much..
Regards,
Khan
09-04-2007 07:25 AM
Haha,,, finally, it works, it's great for me.
So, Can you kindly paste your final configuration there, other people can easily benefit from your configuration, and I don't need to answer this similar question anymore :).
Jerry
09-04-2007 08:24 AM
Jerry,
Sure, I will paste and rate your inputs.
Could you please tell me what exactly the following command does, because as soon as i removed this command everything started working fine so far.
ip verify unicast reverse-path
Regards,
Khan
09-04-2007 08:55 AM
ip verify unicast reverse-path is a security feature, it's been Cisco IOS router and PIX firewall a long time.In a summary, this security feature just verify the packets the router receive on a port where respective retunning packets should be forwarded out
through. one port in and same port out!
go to see the URL below for more detail:
Thanks,
Jerry
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide