Firewall Wizards mailing list archives
CISCO 3640 IPSEC problem
From: "James Kevin Eaves" <kevin () dominet com>
Date: Tue, 14 Mar 2006 09:09:54 -0600
I have a Cisco 3640 with with one outside interface and 1 inside interface. I have 9 locations that are connecting to the firewall using a dynamic IPSEC tunnel. Each location has it's own private subnet. I have no problems with this setup. I can see the ip's at the other end and viceversa. Now, I want to add a second inside interface (192.168.1.1). When I put a machine on the second interface I am unable to see the other locations from the machine and get this error on debug when I try to ping from like 192.168.1.80 to 10.0.0.1 "crypto map check failed" Am I missing something or this even possible? Here is my setup on the firewall VPN LOCATIONS - 10.0.1.0 to 10.0.9.0 crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key xxxxxxxxxxxxx address 0.0.0.0 0.0.0.0 ! crypto ipsec security-association lifetime seconds 86400 ! crypto ipsec transform-set combined-des esp-des esp-md5-hmac ! crypto dynamic-map mymap 1 set transform-set combined-des match address allofit ! ! crypto map mymap-map local-address FastEthernet1/1 crypto map mymap-map 1 ipsec-isakmp dynamic mymap ! interface Loopback0 ip address 1.1.1.1 255.255.255.0 ! interface FastEthernet0/1 description inside_LAN_0 ip address 192.168.0.1 255.255.255.0 ip nat inside ip policy route-map nonat2 ! interface FastEthernet1/0 description inside_LAN_1 ip address 192.168.1.1 255.255.255.0 ip nat inside ip policy route-map nonat1 ! interface FastEthernet1/1 description outside_abcd ip address a.b.c.d 255.255.255.224 ip access-group 112 in ip nat outside crypto map mymap-map ! ip nat inside source list 173 interface FastEthernet1/1 overload ip nat inside source list 174 interface FastEthernet1/1 overload ! ip nat inside source static 192.168.0.76 a.b.c.91 ip nat inside source static 192.168.1.43 a.b.c.80 ! ip route 0.0.0.0 0.0.0.0 a.b.c.65 ! no ip access-list extended allofit ip access-list extended allofit permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255 deny ip 192.168.0.0 0.0.0.255 any deny ip 192.168.1.0 0.0.0.255 any ! route-map nonat2 permit 11 match ip address 123 set ip next-hop 1.1.1.2 route-map nonat1 permit 10 match ip address 124 set ip next-hop 1.1.1.2 ! access-list 123 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255 ! access-list 124 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255 ! access-list 173 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255 access-list 173 deny ip host 192.168.0.91 any access-list 173 permit ip 192.168.0.0 0.0.0.255 any ! access-list 174 deny ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.255.255 access-list 174 deny ip host 192.168.1.80 any access-list 174 permit ip 192.168.0.0 0.0.0.255 any _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- CISCO 3640 IPSEC problem James Kevin Eaves (Mar 14)