cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2817
Views
5
Helpful
3
Replies

"Crypto map" to inside/internal interface. Possible?

Hi, I have a two routers on a point to point VPN where the "Crypto Map" statement is assigned to the external interface as normal. This works fine but I need each router to present a different IP address to that of the external interface.

For example:

crypto isakmp policy 1

encr 3des

authentication pre-share

lifetime 3600

crypto isakmp key privatekey address 4.4.4.4 no-xauth

!

!

crypto ipsec transform-set 3des esp-3des esp-sha-hmac

!

crypto map VPN 1 ipsec-isakmp

set peer 4.4.4.4

set transform-set 3des

match address vpn

!

interface FastEthernet0/0

ip address 4.4.4.4 255.255.255.252

ip nat outside

ip virtual-reassembly

speed 10

full-duplex

no cdp enable

crypto map VPN

!

interface FastEthernet0/1

ip address 8.8.8.8 255.255.255.248

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

Instead of the "4.4.4.4" being presented to the other side of the VPN, I need the 8.8.8.8 to be presented. I've tried just changing the Crypto statements as below but it still presents the 4.4.4.4 probably due to the interface the Crypto map is applied

crypto isakmp policy 1

encr 3des

authentication pre-share

lifetime 3600

crypto isakmp key privatekey address 8.8.8.8 no-xauth

!

!

crypto ipsec transform-set 3des esp-3des esp-sha-hmac

!

crypto map VPN 1 ipsec-isakmp

set peer 8.8.8.8

set transform-set 3des

match address vpn

How can I make sure that 8.8.8.8 is what's presented at the other end?


Thanks


Andy

1 Accepted Solution

Accepted Solutions

Hi Andy,

I would suggest the following command:

crypto map local-address

http://tools.cisco.com/squish/9c85B

To specify and name an identifying interface to be used by the crypto map for IPSec traffic, use the crypto map local-address command in global configuration mode. To remove this command from the configuration, use the no form of this command.

crypto map map-name local-address interface-id

no crypto map map-name local-address

Example:

interface loopback0

     ip address 4.2.2.2 255.255.255.252

!

crypto map mymap local-address loopback0

!

interface S0

      crypto map mymap

!

Of course you need to make sure the remote end can reach this additional IP address.

Let me know if you have any questions.

Please rate any post that you find useful.

View solution in original post

3 Replies 3

Hi Andy,

I would suggest the following command:

crypto map local-address

http://tools.cisco.com/squish/9c85B

To specify and name an identifying interface to be used by the crypto map for IPSec traffic, use the crypto map local-address command in global configuration mode. To remove this command from the configuration, use the no form of this command.

crypto map map-name local-address interface-id

no crypto map map-name local-address

Example:

interface loopback0

     ip address 4.2.2.2 255.255.255.252

!

crypto map mymap local-address loopback0

!

interface S0

      crypto map mymap

!

Of course you need to make sure the remote end can reach this additional IP address.

Let me know if you have any questions.

Please rate any post that you find useful.

Thanks Javier. That worked a treat

Great news my friend

Thanks for counting on us!

Take care!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: