Different "access-list outside_cryptomap" for every VPN?

Answered Question
Jul 8th, 2008
User Badges:

Hi,


Just for my understanding.


I have one VPN connected to my Cisco ASA 5520, when I tried to add another VPN the I have to create a 2nd cryptomap, can I not create a group so there is one crypto map?


Currently I have:


access-list outside_cryptomap_1 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.15.0 255.255.255.0


I have just added access-list outside_cryptomap_2 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.2.0 255.255.255.0


But wondered if I could use some thing like:


access-list outside_mycryptomap line 1 extended permit ip 0.0.0.0 0.0.0.0 object-group VPN_Remote_Networks


When I do this though I guess it will cause a problem with the peer address?

Correct Answer by a.alekseev about 8 years 9 months ago

You must use different access-list in cryptomap for every VPN.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer
a.alekseev Tue, 07/08/2008 - 06:25
User Badges:
  • Gold, 750 points or more

You must use different access-list in cryptomap for every VPN.

whiteford Tue, 07/08/2008 - 06:28
User Badges:

I know it was a simple question but very useful for me, thanks!

whiteford Tue, 07/08/2008 - 06:46
User Badges:

Is there a certain order I need to add the config into the CLI aswell?


I have this to add:


access-list outside_MYcryptomap_1 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.15.0 255.255.255.0


crypto map outside_map 1 match address outside_MYcryptomap_1

crypto map outside_map 1 set pfs group5

crypto map outside_map 1 set peer 1.2.3.4

crypto map outside_map 1 set transform-set ESP-AES-256-SHA

crypto map outside_map 1 set security-association lifetime seconds 86400


tunnel-group 1.2.3.4 type ipsec-l2l

tunnel-group 1.2.3.4 general-attributes

default-group-policy CBSO-L2L

tunnel-group 1.2.3.4 ipsec-attributes

pre-shared-key abcdefgh


Actions

This Discussion