In our environment we have a Zone based firewall on CIsco ASR 1000 XE router, terminating normal IPsec VPN sessions on ZBF. The router has one outgoing physical interface (g0/0/0) connected to ISP as outside Interface and multiple Interfaces on the Inside network on Port channels VLAN/VRF.
The remote access VPN (Easy VPN) is applied using crypto map configuration on the interface connected to ISP.
Now, there was also a requirement to provide IPSec termination on the same physical inteface g0/0/0 to a different customer via a VRF aware Remote access. Two configuration templates were implemented with similar results. IPSec Tunnel comes up fine for the VRF profile but tunnel cannot pass traffic. Ping from IPsec client to an IP address on the Inside network times out and trace route shows that this gets dropped somwhere in the ISP cloud.
Configuration 1 - Crypto Dynamic Map
crypto isakmp policy 15
encr aes 256
crypto isakmp client configuration group admin-vpn
crypto isakmp client configuration group centralsTEMP-vpn
Thank you very much for your response and actually, we did open a TAC and the problem was resolved using Crypto Map dynamic configurations for both Standard and IPSec aware VPN's. Some specific policies on ZBF were tweaked (for example echo-reply packet inspection was deleted(configured for Pass) and also some access-lists which had unwanted entries were cleaned up.
Are you responsible for risk management, compliance management and auditing of a network?
If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ...
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari...
Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ...
A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se...
How To: Cisco ISE Captive Portals with Aruba Wireless
Authors: Adam Hollifield, Brad Johnson
IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi...