Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

CISCO 3640 IPSEC problem

From: "James Kevin Eaves" <kevin () dominet com>
Date: Tue, 14 Mar 2006 09:09:54 -0600
I have a Cisco 3640 with with one outside interface and 1 inside 
interface. I have 9 locations that are connecting to the firewall using 
a dynamic IPSEC tunnel. Each location has it's own private subnet. 
I have no problems with this setup. I can see the ip's at the other 
end and viceversa.
Now, I want to add a second inside interface (192.168.1.1).
When I put a machine on the second interface I am unable to see 
the other locations from the machine and get this error on debug 
when I try to ping from like 192.168.1.80 to 10.0.0.1
"crypto map check failed"
Am I missing something or this even possible?

Here is my setup on the firewall

VPN LOCATIONS - 10.0.1.0 to 10.0.9.0

crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key xxxxxxxxxxxxx address 0.0.0.0 0.0.0.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set combined-des esp-des esp-md5-hmac 
!
crypto dynamic-map mymap 1
 set transform-set combined-des 
 match address allofit
!         
!
crypto map mymap-map local-address FastEthernet1/1
crypto map mymap-map 1 ipsec-isakmp dynamic mymap 
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/1
 description inside_LAN_0
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip policy route-map nonat2
!
interface FastEthernet1/0
 description inside_LAN_1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip policy route-map nonat1

!
interface FastEthernet1/1
 description outside_abcd
 ip address a.b.c.d 255.255.255.224
 ip access-group 112 in
 ip nat outside
 crypto map mymap-map
!
ip nat inside source list 173 interface FastEthernet1/1 overload
ip nat inside source list 174 interface FastEthernet1/1 overload
!
ip nat inside source static 192.168.0.76 a.b.c.91
ip nat inside source static 192.168.1.43 a.b.c.80
!
ip route 0.0.0.0 0.0.0.0 a.b.c.65
!
no ip access-list extended allofit
ip access-list extended allofit
 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255
 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255
 deny   ip 192.168.0.0 0.0.0.255 any
 deny   ip 192.168.1.0 0.0.0.255 any
!
route-map nonat2 permit 11
 match ip address 123
 set ip next-hop 1.1.1.2

route-map nonat1 permit 10
 match ip address 124
 set ip next-hop 1.1.1.2
!
access-list 123 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255
!
access-list 124 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255
!
access-list 173 deny   ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255
access-list 173 deny   ip host 192.168.0.91 any
access-list 173 permit ip 192.168.0.0 0.0.0.255 any
!
access-list 174 deny   ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.255.255
access-list 174 deny   ip host 192.168.1.80 any
access-list 174 permit ip 192.168.0.0 0.0.0.255 any




_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: