Different "access-list outside_cryptomap" for every VPN?

Answered Question
Jul 8th, 2008

Hi,

Just for my understanding.

I have one VPN connected to my Cisco ASA 5520, when I tried to add another VPN the I have to create a 2nd cryptomap, can I not create a group so there is one crypto map?

Currently I have:

access-list outside_cryptomap_1 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.15.0 255.255.255.0

I have just added access-list outside_cryptomap_2 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.2.0 255.255.255.0

But wondered if I could use some thing like:

access-list outside_mycryptomap line 1 extended permit ip 0.0.0.0 0.0.0.0 object-group VPN_Remote_Networks

When I do this though I guess it will cause a problem with the peer address?

I have this problem too.
0 votes
Correct Answer by a.alekseev about 8 years 5 months ago

You must use different access-list in cryptomap for every VPN.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer
a.alekseev Tue, 07/08/2008 - 06:25

You must use different access-list in cryptomap for every VPN.

whiteford Tue, 07/08/2008 - 06:28

I know it was a simple question but very useful for me, thanks!

whiteford Tue, 07/08/2008 - 06:46

Is there a certain order I need to add the config into the CLI aswell?

I have this to add:

access-list outside_MYcryptomap_1 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.15.0 255.255.255.0

crypto map outside_map 1 match address outside_MYcryptomap_1

crypto map outside_map 1 set pfs group5

crypto map outside_map 1 set peer 1.2.3.4

crypto map outside_map 1 set transform-set ESP-AES-256-SHA

crypto map outside_map 1 set security-association lifetime seconds 86400

tunnel-group 1.2.3.4 type ipsec-l2l

tunnel-group 1.2.3.4 general-attributes

default-group-policy CBSO-L2L

tunnel-group 1.2.3.4 ipsec-attributes

pre-shared-key abcdefgh

Actions

This Discussion