09-06-2007 02:13 AM - edited 03-03-2019 06:37 PM
I tried to change the ip of a wan link between a remote router and the main router. I did that and it seems to work. Then i ping and telnet to remote router and it was fine. Also i could ping the remote urers. Then the remote users called me and reported that they can not work in a program (database) locate near the main router.
After checking the problem i realised that on both link interfaces there was a crypto map with certain access-lists.
is that the problem?
How can i correct it?
Thanks
moses
Solved! Go to Solution.
09-06-2007 07:58 AM
Moses
If you remove the crypto map from the interfaces then whatever VPN was there would no longer function. Of course from your questions I believe that there is some possibility that it is not functioning (or not functioning completely) now. It would require more familiarity with your environment to know how much difference removing the VPN would make.
Knowing whether you need the crypto map in a private network with leased lines depends on what the requirements are within the private network. I can say that I recently did a project for a customer which was similar. It was within an enterprise network where the routers were connected by leased lines. Because of the type of data being transmitted the customer had a requirement that the data must be encrypted during transmission so we configured IPSec VPN with crypto maps on the interfaces to provide a VPN over the leased line connection.
HTH
Rick
09-06-2007 02:50 AM
The config looks like below:
crypto map ABCD 2 ipsec-isakmp
set peer 21.185.230.87 << this line
set transform-set ABCset
match address 128
The peer is the remote termination point for the VPN. You will have to modify the VPN peer setting on the other end of the VPN tunnel so that it points to the ip address of the router.
regards,
Leo
09-06-2007 05:37 AM
Moses
I believe that the suggestion by Leo that the issue may be the peer address is a good suggestion. Depending on how the crypto config was set up this may be an issue or may not (we do not know if the peering is to the physical outside interface (where it would be a problem) or is to some other address).
We do not know enough about the situation to be able to say whether the access list is an issue. The access list identifies what traffic is to be protected by IPSec. In some situations (especially if it is IPSec with GRE tunnels) the access list does reference the physical outside interface address and the access list would be a problem. But in some other implementations of IPSec the access list references the LAN addresses where the users are located and in this situation the access list would not be an issue.
Perhaps you can supply a bit more information about the environment and some details of how the crypto configuration is set up?
HTH
Rick
09-06-2007 07:39 AM
Since i do not know this subject(i am only CCNA) can i for now remove this crypto map from both the interfaces and later when i have the knowledge ,do the proper work. Do you think that the system will work?
Do i need crypto map in a private network connected with leased lines?
Thanks again
moses
09-06-2007 07:58 AM
Moses
If you remove the crypto map from the interfaces then whatever VPN was there would no longer function. Of course from your questions I believe that there is some possibility that it is not functioning (or not functioning completely) now. It would require more familiarity with your environment to know how much difference removing the VPN would make.
Knowing whether you need the crypto map in a private network with leased lines depends on what the requirements are within the private network. I can say that I recently did a project for a customer which was similar. It was within an enterprise network where the routers were connected by leased lines. Because of the type of data being transmitted the customer had a requirement that the data must be encrypted during transmission so we configured IPSec VPN with crypto maps on the interfaces to provide a VPN over the leased line connection.
HTH
Rick
09-06-2007 08:57 AM
Moses, It is unlikely that this VPN was there for nothing. Hence I agree with Rick that simply removing the crypto-config isn't a good idea at all.
You should either try to fix it or perform a rollback of the changes that have already been done.
regards,
Leo
09-06-2007 05:30 PM
Moses
Thank you for using the rating system to indicate that you question was resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that they will read answers that resolved the question. I encourage you to continue your participation in the forum.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide