How to create a Site-to-Site VPN Between a cisco ASA to a Cisco IOS router with 2 BGP interfaces and a Loopback Interface.
I had some days ago a problem. I had a vpn connection but there was no traffic going over this connection.
Below in the diagram how I created this solution and how it works. ( In the diagram are non official used ip address )
I will explain the configuration on the Cisco router 2951 side. Because the Cisco ASA vpn configuration is plain simple ( like most site to site vpn’s ) In the diagram I made a draw of both sides. To make the setup complete.
I start with the setup of the VPN configuration.
crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key <yourwonderfulkeytosuccess> address <ip address> ! crypto ipsec transform-set transform-asp esp-3des esp-md5-hmac
The crypto map vpn local-address Loopback100 ( refers to the the point that an external IP address is configured on a Loopback interface. )
crypto map vpn local-address Loopback100 crypto map vpn 1 ipsec-isakmp set peer < ip address > set transform-set transform-asp match address 100 ! access-list 100 permit ip < internal ip> < wildcard > <remote location ip> <wildcard>
If you don’t add the access-list 100 the configuration will be incomplete! The loopback interface ( you see the Access-group information which aren’t displayed in this blog post )
interface Loopback100 ip address < ip address > < subnet > ip access-group ACL_ACCESS_IN in ip access-group ACL_ACCESS_OUT out ip nat outside ip virtual-reassembly in crypto map vpn !
The Crypto Map VPN you need to configure also on both BGP interfaces otherwise your vpn configuration won’t get up.
interface GigabitEthernet0/1 description *** BGP Link 1 to ISP *** ip address <ip address> <subnet> ip nbar protocol-discovery ip nat outside ip virtual-reassembly in duplex auto speed auto crypto map vpn ! interface GigabitEthernet0/2 description *** BGP Link 2 to ISP *** ip address <ip address> <subnet> ip nbar protocol-discovery ip nat outside ip virtual-reassembly in duplex auto speed auto crypto map vpn
Hi,
Very useful example. But there is no need for applying crypto map to loopback interface.
interface Loopback100
no crypto map vpn
Kind regards,
Michał
Documentation:
http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_c2g.html#wp1073947
Thank you for the information. I can’t remember it well but I think we have tested without the crypto map on the loopback but it didn’t work. Because in our configuration the normal network external IP is located on the loopback interface. and not on one of the 2 BGP interfaces. Maybe I have a possibility to test it again soon before we create more VPN connections to this device with this configuration.
We check it:)
We used independent address from AS with /32 mask on loopback Interface, and it works fine. 2 WAN interfaces ares connected to 2 ISPs with another public addresses.
m.
Okay nice to hear. So if I understand correctly. you have for example
External ip address 1
10.1.1.1/32
external ip address 2
10.1.1.2/32
each on a different Loopback interface ? Or I’m incorrect?
I’ve like now 10.1.1.1/26 on 1 loopback interface
I have recently configured the same scenario on my production router. I apply crypto on out interfaces and its working fine. I am sure there is no need to apply crypto on loopback interface. However your article is very help full.
Hi, we have the same kind of configuration in our network environment, with crypto on 2 WAN and 1 loopback interface. But now, we realized that the tunnel is not passing 80 and SMTP traffic through it. Can somebody help me with that? Thanks in advance.
You need to add an additional exclusion ACL to the port forwarder to block vpn traffic that will help passing trough the http and smtp