Can I have Cisco VPN client access on two interfaces at same time

Unanswered Question
Feb 12th, 2010

I have the abilty to have Cisco VPN client access on interface one (outside).

Do I have to reenter all the details a second time to enable on second interface so I can have VPN outside access on both interfaces. "called backup"

or can I simply enter

I have a 2nd cypro map which I want to apply to the 2nd interface

crypto map backup_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map backup_map interface backup

The relavant parts of my set up is as follows:-

access-list inside_nat0_outbound extended permit ip any 172.21.0.0 255.255.255.224

ip local pool VPNUsers 172.21.0.1-172.21.0.25 mask 255.255.255.0

group-policy VPNUsers internal
group-policy VPNUsers attributes
wins-server value 192.168.0.0.1
dns-server value 192.168.0.1
vpn-tunnel-protocol IPSec
username XYZ password Ni2RqkJmO13a39Ml encrypted privilege 15
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group VPNUsers type ipsec-ra
tunnel-group VPNUsers general-attributes
address-pool (inside) VPNUsers
address-pool VPNUsers
default-group-policy VPNUsers

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Sat, 02/13/2010 - 08:20

Hi,


You can have VPN clients connecting to more than one interface on the ASA:


If for example you current VPN terminating interface is called outside, then you have:


crypto map outside_map interface outside

To allow the VPN clients to terminate on another interface as well called outside1, then you only add:


crypto map outside_map interface outside1


Then, the VPN clients can be configured to use the primary interface first and connect to the secondary interface only if the attempt to connect to the primary interface fails.


Let's see the results.


Federico.

mawallace Sat, 02/13/2010 - 09:55

Ah. but can I have two different cyrtp maps  - one applied to the "outside" interface and the other to the "outside 1  interface, but copy the details of the VPN clinet one from the "outside" list by using  a simple command rather than reentering all the details.

Federico Coto F... Sat, 02/13/2010 - 15:50

Yes,


You can have a different crypto map applied to another interface. It it's for VPN clients, then just do the following:


This is your current crypto map for the VPN clients:


crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto isakmp enable outside
crypto map outside_map interface outside

So, then justa add the following commands to add another crypto map:


crypto dynamic-map new_dynamic_map 70 set transform-set ESP-3DES-MD5
crypto map new_map 65500 ipsec-isakmp dynamic new_dynamic_map

crypto isakmp enable new_outside
crypto map new_map interface new_outside


Just out of a curiosity, why do you want a different crypto map instead of using the same one?


Federico.

Actions

This Discussion