[c-nsp] Cat 6509 with IPsec Services module

David Prall dcp at dcptech.com
Thu May 19 21:45:10 EDT 2005 

Enno,
You discuss VPNSM, then state FWSM later.

It sounds like from your writeup that you have "no switchport" configured on
gi9/37. You are using vlan 1 as the outside vlan, I wouldn't recommend this.

David

--
David C Prall dcp at dcptech.com http://dcp.dcptech.com
  

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Enno Rey
> Sent: Thursday, May 19, 2005 3:22 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cat 6509 with IPsec Services module
> 
> Hi,
> 
> I'm having some problems with a IPsec Services module in a 
> Cat6509/Sup720 running 
> 
> 12.2(18)SX.
> The machine is already productive with several VLANs (<20), 
> internet access (100 Mbit) via a routed interface, absolutely 
> nothing special here.
> 
> After applying the necessary configuration items for the 
> Firewall Services Module 
> 
> (configuring the both virtual Gig ports and vlans/interfaces) 
> internet connectivity via the routed interface (here g9/37) is lost. 
> 
> In brief:
> 
> before:
> int gig9/37 configured as routed interface with external ip.
> 
> after: 
> 
> - both virtual gigs of the module configured as trunk ports, 
> one of them with allowed vlan 1,100,1002-1005, 
> - int gig9/37: no ip address, crypto connect vlan 100
> - int vlan 100 with external ip + 'crypto engine slot' command.
> 
> 
> In my understanding (that may be wrong) the traffic should 
> continue to flow without problems as long as there's no 
> crypto map applied to the vlan interface 100. But this is not 
> the case. As soon as I apply the above mentioned changes, 
> external connectivity is lost (which is bad ;-)) and I see 
> the interface vlan 100 in down state. Whatever I do I can't 
> get the interface to change to up state.
> 
> What am I doing wrong here? At the moment I'm rather stuck... 
> any insight or help will strongly be appreciated.
> 
> thanks,
> 
> Enno
> -- 
> Enno Rey
> 
> ERNW Enno Rey Netzwerke GmbH - Zaehringerstr. 46 - 69115 Heidelberg
> Tel. +49 6221 480390 - Fax 6221 419008 - Mobil +49 173 6745902
> www.ernw.de - PGP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list