Re: Crypto Map on Inside interface

nkm · ‎12-11-2007

I am assisting a client with their VPN setup, and just want to know if it's possible to apply a crypto map on the inside interface.

I have tried however I am unable to ping anything inside the private network.

The inside netwiork is as follows..

interface Vlan1

ip address xxx.xxx.xxx.xxx 255.255.255.192 secondary

ip address yyy.yyy.yyy.yyy 255.255.255.248

ip nat inside

ip virtual-reassembly

crypto map VPNMap

xxx - the internal 'private' network

yyy - Internet reachable IP address

To even ping from my network, I had to create a static router to the vlan1 interface, so as to trigger the encryption process.

I also have the following

ip nat inside source route-map nonat pool in-net overload

Where in-net is doing PAT for internal hosts wanting to connect to the Internet

When I ping from my network, to the xxx (vlan1 secondary IP address), it works OK, when I however try to ping anything inside the private xxx network, I get 50% packet loss (reply - no reply - reply etc).

I am wondering if what I am doing can actually work, or does a crypto map have to be applied to an 'nat outside' interface only?

Any ideas?

Richard Burts · ‎12-11-2007

Nik

As far as I know the technically correct answer to your question is Yes you can configure a crypto map on the inside interface. But it leads to a question of why would you want to do that? The function of the crypto map is to provide IPSec protection services to traffic passing through that interface. Why would you want IPSec on traffic going through your inside interface?

I am also puzzled by the partial config that you posted. Why do you have the internal "private" network and the Internet reachable network as primary and secondary on the same interface?

HTH

Rick

HTH

Rick

nkm · ‎12-11-2007

As I mentioned, I am assisting a customer, he insists that the WAN IP address can't be used, so I have to create a VPN with the routable (public) IP Address, which is on the internal interface.