There's a mobile version of our website.
I wonder if it is possible to create a vpn tunnel between a cisco router using only one interface ? the same interface would lead to both external and internal networks, like reverse proxies for instance.
Of course the crypto map is configured on this unique interface.
All my attempts failed for the moment. It is only working when configuring one external interface with crypto map and one internal interface.
is there a way to make this works ?
Thank for your replies
Can I ask *why* you'd want to do this?
Also, if you can mention what wasn't working in your tests (where it was failing), maybe we can figure it out better...
I need to do this configuration because of my customer. He allows only one interface on a dedicated DMZ. Therefore i must configure the router to act as a reverse proxy.
In fact i need to set up a tunnel between a Checkpoint FW and the cisco router.
Additionaly, the cisco router has only one private address. Th Nat is performed by the customer internet firewall.
And the source adresses on my side have to be Nated to a private adress 172.31.x.x (PAT) before going to the tunnel.
FW VPN ---------------> Cust Int FW ---> VPN cisco
My Lan (encrypt.domain) Cust.LAN (encrypt.domain)
Since my first post i managed to make this works with a loopback interface and the "set ip next-hop" command : i re-route virtually the encrypted packets through the loopback, then it seems that the router acts as if it has two network interfaces.
But each time i make a change (New NAT, PAT, network address) for my tests (before setting-up definitly the VPN) i meet difficulties with ACLs (the one for the route-map, and the one for the crypto map)
The most frequent error message is (when i don't use any route-map): %CRYPTO-4-RECVD_PKT_NOT_IPSEC
I think that i don't clearly understand what to put on the ACLs and maybe the route-map solution is not the good one for my configuration.
My Crypto Acl contains :
access-list 100 permit esp public-ip_vpn-router public-ip_FW
access-list 100 permit esp public-ip_FW public-ip_vpn-router
access-list 100 permit esp private-ip_vpn-router public-ip_FW
access-list 100 permit esp public-ip_FW private-ip_vpn-router
access-list 100 permit ip PAT(of my LAN) Cust.LAN
access-list 100 permit ip Cust.LAN PAT(of my LAN)
access-list 100 deny ip any any
Ip adress 126.96.36.199 255.255.255.0
ip adress private-address
ip policy route-map YYY
set ip next-hop 188.8.131.52
match ip list 120
ACL 120 (routemap)
access-list 120 permit ip PAT(of my LAN) Cust.LAN
access-list 120 permit ip Cust.LAN PAT(of my LAN)
What to you think about this config ?
Do you have a sample of config, or any ideas of the good configuration for make this works definitely ?
Thank you for your help
Well it works great now !
The problem wa indeed the ACLs
Here is the solution :
For the ACL crypto map : just write one direction ACL entries (from the Lan behind the router ->to the checkpoint Lan in my case). And not esp flows, just flows which need to be encrypted
For the ACL route-map (for the loopback) : you must write the two direction (Lan behind the router <-> Lan behind the FW)
And all works great.
Login to share your discussion activity with your friends on Facebook. You can control what you share and turn off sharing anytime.
Your Facebook friends can now see that you have started this discussion
Your Facebook friends can now see that you have commented on this discussion
Your Facebook friends can now see that you have read this discussion