06-21-2010 06:36 PM
Hello All,
I was wondering if I have a Cisco ASA firewall and it has several site to site VPNs using pre-shared keys. If I want to add another VPN to the firewall. Do I have to add all the crypto ISAKMP stuff again or what. Or can I just VPN config all ready in the firewall. I mean besides the New Crypto Map , ACL and NAT 0 statement what other statements do I need to enter in order the buld this new site to site tunnel? I don't want to end up entering more command than is needed.
Solved! Go to Solution.
06-21-2010 06:47 PM
No, you don't need to add new crypto isakmp policies if you already have a matching policies configured. You can also re-use the crypto ipsec transform-set policy if it is the same on the other site of the LAN-to-LAN tunnel (as long as it matches on both ends).
You are right, the only statements you would need to add would be the ACL entry for NAT 0 and new crypto map sequence (with crypto ACL, transform set and set peer entries).
Hope that helps.
06-22-2010 06:17 AM
Yes, you are absolutely correct. As you said, if there are 10 policies, it will try to find a match from policy with the lowest number to the highest number until it finds a match.
06-21-2010 06:47 PM
No, you don't need to add new crypto isakmp policies if you already have a matching policies configured. You can also re-use the crypto ipsec transform-set policy if it is the same on the other site of the LAN-to-LAN tunnel (as long as it matches on both ends).
You are right, the only statements you would need to add would be the ACL entry for NAT 0 and new crypto map sequence (with crypto ACL, transform set and set peer entries).
Hope that helps.
06-22-2010 06:14 AM
In my understanding the policy portion the VPN Building process is no matter what number a policy has it is not tied to any crypto map or any other settings. The firewall just uses all of the polices it has to attempt to find a match policy with the remote Firewall/Host it is attempting to build the tunnel with to complete the IKE phase 1 portion of the VPN Process. If the remote Firewall/Host has one ISAKMP policy configured on it and the local Firewall has 10 ISAKMP policies then the remote host will attempt to use the one policy it has while the local firewall searches its 10 policies until it finds a match for the remote Firewall. Is that right?
06-22-2010 06:17 AM
Yes, you are absolutely correct. As you said, if there are 10 policies, it will try to find a match from policy with the lowest number to the highest number until it finds a match.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide