Solved: Advice on a second VPN to a DMZ

robbhanMid · ‎06-30-2008

I was to follow this cisco example of configuring a Lan-to-Lan VPN:

hostname(config)# interface ethernet0

hostname(config-if)# ip address 10.10.4.100 255.255.0.0

hostname(config-if)# no shutdown

hostname(config)# isakmp policy 1 authentication pre-share

hostname(config)# isakmp policy 1 encryption 3des

hostname(config)# isakmp policy 1 hash sha

hostname(config)# isakmp policy 1 group 2

hostname(config)# isakmp policy 1 lifetime 43200

hostname(config)# isakmp enable outside

hostname(config)# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac

hostname(config)# access-list l2l_list extended permit ip 192.168.0.0 255.255.0.0

150.150.0.0 255.255.0.0

hostname(config)# tunnel-group 10.10.4.108 type ipsec-l2l

hostname(config)# tunnel-group 10.10.4.108 ipsec-attributes

hostname(config-ipsec)# pre-shared-key xxx

hostname(config)# crypto map abcmap 1 match address l2l_list

hostname(config)# crypto map abcmap 1 set peer 10.10.4.108

hostname(config)# crypto map abcmap 1 set transform-set FirstSet

hostname(config)# crypto map abcmap interface outside

hostname(config)# write memory

If I later on need to set up a new tunnel group to, let's say a dmz on the one of the hosts, do I need to redo the isakmp policy part for every new connection or is adding a new tunnel group and a new access-list enough?

nomair_83 · ‎06-30-2008

Yup if you want to keep same values then u dont need to redo the isakmp part infact u can use the same transform set.

all u need to add tunnel groups,access lists and crypto map with sequence number 2,3 and so on with different peers and acl.

Regards

View solution in original post

nomair_83 · ‎06-30-2008

Yup if you want to keep same values then u dont need to redo the isakmp part infact u can use the same transform set.

all u need to add tunnel groups,access lists and crypto map with sequence number 2,3 and so on with different peers and acl.

Regards