I have a Cisco 3640 with with one outside interface and 1 inside
interface. I have 9 locations that are connecting to the firewall using
a dynamic IPSEC tunnel. Each location has it's own private subnet.
I have no problems with this setup. I can see the ip's at the other
end and viceversa.
Now, I want to add a second inside interface (192.168.1.1).
When I put a machine on the second interface I am unable to see
the other locations from the machine and get this error on debug
when I try to ping from like 192.168.1.80 to 10.0.0.1
"crypto map check failed"
Am I missing something or this even possible?

Here is my setup on the firewall

VPN LOCATIONS - 10.0.1.0 to 10.0.9.0

crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key xxxxxxxxxxxxx address 0.0.0.0 0.0.0.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set combined-des esp-des esp-md5-hmac
!
crypto dynamic-map mymap 1
set transform-set combined-des
match address allofit
!
!
crypto map mymap-map local-address FastEthernet1/1
crypto map mymap-map 1 ipsec-isakmp dynamic mymap
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/1
description inside_LAN_0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip policy route-map nonat2
!
interface FastEthernet1/0
description inside_LAN_1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip policy route-map nonat1

!
interface FastEthernet1/1
description outside_abcd
ip address a.b.c.d 255.255.255.224
ip access-group 112 in
ip nat outside
crypto map mymap-map
!
ip nat inside source list 173 interface FastEthernet1/1 overload
ip nat inside source list 174 interface FastEthernet1/1 overload
!
ip nat inside source static 192.168.0.76 a.b.c.91
ip nat inside source static 192.168.1.43 a.b.c.80
!
ip route 0.0.0.0 0.0.0.0 a.b.c.65
!
no ip access-list extended allofit
ip access-list extended allofit
permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255
permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.0.255 any
deny ip 192.168.1.0 0.0.0.255 any
!
route-map nonat2 permit 11
match ip address 123
set ip next-hop 1.1.1.2

route-map nonat1 permit 10
match ip address 124
set ip next-hop 1.1.1.2
!
access-list 123 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255
!
access-list 124 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255
!
access-list 173 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255
access-list 173 deny ip host 192.168.0.91 any
access-list 173 permit ip 192.168.0.0 0.0.0.255 any
!
access-list 174 deny ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.255.255
access-list 174 deny ip host 192.168.1.80 any
access-list 174 permit ip 192.168.0.0 0.0.0.255 any




_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards