Add 1 more tunnel on the existing firewall

Unanswered Question
Mar 8th, 2007
User Badges:

I have an existing tunnel between 2 sites: (A and B) configured on 2 FWs. Now I was asked to add 1 more tunnel berween A and C. Since C is new site, I can just copy the existing configuration and change the IP address for site C, how about A? how is the configuration need to be done to add one more tunnel?

The following is my existing config on FW A (only VPN related commands are listed):

access-list 101 permit ip

access-list NoNAT permit ip

nat (inside) 0 access-list NoNAT

isakmp enable outside

isakmp key xxxxxxxx address netmask

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 1 ipsec-isakmp

crypto map outside_map 1 match address 101

crypto map outside_map 1 set peer

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

management-access inside

sysopt connection permit-ipsec

by the way: A site LAN is

B site:

C site:

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kaachary Thu, 03/08/2007 - 01:20
User Badges:
  • Cisco Employee,


Assuming you are using same encryption and authentication parameters as Site B (Same Iskamp policies and same Trnasform set), you require following changes to add a tunnel between Site A and C.

access-list 102 permit ip

access-list NoNAT permit ip

isakmp key xxxxxxxx address netmask

crypto map outside_map 2 ipsec-isakmp

crypto map outside_map 2 match address 102

crypto map outside_map 2 set peer

crypto map outside_map 2 set transform-set ESP-3DES-MD5

That's it !!

*Please rate if this helps.


shibindong Thu, 03/08/2007 - 01:24
User Badges:

thanks for your prompt reply, my another question is "2" in the "crypto map outside_map". correct me if i am wrong, "2" in the IPsec should the same as the number in ike configure, right?

kaachary Thu, 03/08/2007 - 01:28
User Badges:
  • Cisco Employee,

No, it doesn't matter.

It could be any number other than "1" as you have one crypto map defined with priority "1".

All the crypto maps on the device, should have the same name, but different sequence number. The sequence number can be random.

It has nothing to do with the IKE policy.

*Please rate if helped.



This Discussion