04-19-2010 12:20 AM
We have set up a L2L VPN between a cisco 877 and an ASA 5505.
On the 877 side we have :
dialer 0 : connect to internet and has a dynamic IP given by ISP
Loopback1 : has a static IP from the assigned Public IP range .
Vlan 1: has a static private IP for the LAN
FE3 : Interface conencted to lan
We have the following problem.
We have applied the crypto map to the Loopback interface and with this configuration we can reach the router's internal interface ( VLAN 1 IP ) from the ASA internal network , but other than that we cannot reach any host on the inside lan of the router.
If we apply the crypto map to the FE3 interface we can ping also the internal lan but we lose half the ping and the roundtrip is high ( 500-800 ms instead of 70-80 when applied only to Loopback 1 )
So I need help on this . What should be the correct configuration to have it all working fine ?
thanks in advance
Solved! Go to Solution.
05-03-2010 11:23 PM
In the first configuration (crypto-map applied on loopback interface) you can try this :
no ip cef (on Cisco 877)
Cef in many versions have problems similar from your's
04-19-2010 12:25 AM
Do you have "ip nat outside" on your loopback interface when the crypto map is applied, and configured ACL (NAT exemption) to deny traffic between internal subnet towards the ASA remote LAN?
04-19-2010 12:33 AM
Hi ,
yes I have IP NAT OUTSIDE on the lo interface .
Regarding ACL I have an ACL on the crypto map to identify the interesting traffic , do you mean that or another ACL directly applied to the lo interface ?
can you provide an example ?
thanks
04-19-2010 12:37 AM
No, I mean the ACL that you assign to your NAT statement. Does it have a deny statement between your internal network towards the ASA remote LAN?
04-19-2010 12:47 AM
I'm checking , meanwhile I noticed that there's also an IP NAT outside on the dialer 0
interface . Should I remove it or it won't affect the problem ?
thanks
04-19-2010 12:49 AM
No, don't remove the "ip nat outside" from Dialer0 interface. Noone can browse the internet if you do so.
04-19-2010 12:58 AM
no one should browse internet from this connection , it should only be used
as VPN to the main office .
As per the ACL
we have this ACL
access-list 130 deny ip 192.168.110.0 0.0.0.255 10.80.5.0 0.0.0.255
access-list 130 deny ip 192.168.110.0 0.0.0.255 192.168.80.0 0.0.0.255
access-list 130 permit ip 192.168.110.0 0.0.0.255 any
and this NAT
ip nat inside source list 130 interface loopback 1overload
04-19-2010 01:04 AM
OK, so i assume 10.80.5.0/24 and 192.168.80.0/24 are your remote subnets. And 192.168.110.0/24 is your internal subnet.
Since you mentioned that this router is not used for Internet, then I assume that you have another device/router that serves the internet, hence, I believe your internal hosts' default gateway is not this vpn router.
You would need to route traffic towards 10.80.5.0/24 and 192.168.80.0/24 to this router internal interface (vlan 1 ip address).
04-19-2010 01:07 AM
on the internal host there's a static route for network 10.80.5.0
05-03-2010 11:23 PM
In the first configuration (crypto-map applied on loopback interface) you can try this :
no ip cef (on Cisco 877)
Cef in many versions have problems similar from your's
05-06-2010 02:05 AM
Pepe_n ,
thanks so much for your help.
It was exactly my case, disabling IP CEF worked fine
best regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide