Solved: Different "access-list outside_cryptomap" for every VPN?

whiteford · ‎07-08-2008

Hi,

Just for my understanding.

I have one VPN connected to my Cisco ASA 5520, when I tried to add another VPN the I have to create a 2nd cryptomap, can I not create a group so there is one crypto map?

Currently I have:

access-list outside_cryptomap_1 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.15.0 255.255.255.0

I have just added access-list outside_cryptomap_2 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.2.0 255.255.255.0

But wondered if I could use some thing like:

access-list outside_mycryptomap line 1 extended permit ip 0.0.0.0 0.0.0.0 object-group VPN_Remote_Networks

When I do this though I guess it will cause a problem with the peer address?

a.alekseev · ‎07-08-2008

You must use different access-list in cryptomap for every VPN.

View solution in original post

a.alekseev · ‎07-08-2008

You must use different access-list in cryptomap for every VPN.

whiteford · ‎07-08-2008

I know it was a simple question but very useful for me, thanks!

whiteford · ‎07-08-2008

Is there a certain order I need to add the config into the CLI aswell?

I have this to add:

access-list outside_MYcryptomap_1 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.15.0 255.255.255.0

crypto map outside_map 1 match address outside_MYcryptomap_1

crypto map outside_map 1 set pfs group5

crypto map outside_map 1 set peer 1.2.3.4

crypto map outside_map 1 set transform-set ESP-AES-256-SHA

crypto map outside_map 1 set security-association lifetime seconds 86400

tunnel-group 1.2.3.4 type ipsec-l2l

tunnel-group 1.2.3.4 general-attributes

default-group-policy CBSO-L2L

tunnel-group 1.2.3.4 ipsec-attributes

pre-shared-key abcdefgh