Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
416
Views
0
Helpful
3
Replies

ASA 55XX SITE VPN Inquiry?

Go to solution
Charlie Mayes
Level 1
Level 1

‎06-21-2010 06:36 PM

                           Hello All,

                                        I was wondering if I have a Cisco ASA firewall and it has several site to site VPNs using pre-shared keys. If I want to add another VPN to the firewall. Do I have to add all the crypto ISAKMP stuff again or what. Or can I just VPN config all ready in the firewall. I mean besides the New Crypto Map , ACL and NAT 0  statement what other statements do I need to enter in order the buld this new site to site tunnel? I don't want to end up entering more command than is needed.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-21-2010 06:47 PM

No, you don't need to add new crypto isakmp policies if you already have a matching policies configured. You can also re-use the crypto ipsec transform-set policy if it is the same on the other site of the LAN-to-LAN tunnel (as long as it matches on both ends).

You are right, the only statements you would need to add would be the ACL entry for NAT 0 and new crypto map sequence (with crypto ACL, transform set and set peer entries).

Hope that helps.

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Charlie Mayes

‎06-22-2010 06:17 AM

Yes, you are absolutely correct. As you said, if there are 10 policies, it will try to find a match from policy with the lowest number to the highest number until it finds a match.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-21-2010 06:47 PM

No, you don't need to add new crypto isakmp policies if you already have a matching policies configured. You can also re-use the crypto ipsec transform-set policy if it is the same on the other site of the LAN-to-LAN tunnel (as long as it matches on both ends).

You are right, the only statements you would need to add would be the ACL entry for NAT 0 and new crypto map sequence (with crypto ACL, transform set and set peer entries).

Hope that helps.

0 Helpful

Go to solution
Charlie Mayes
Level 1
Level 1
In response to Jennifer Halim

‎06-22-2010 06:14 AM

                          In my understanding the policy portion the VPN Building process is no matter what number a policy has it is not tied to any crypto map or any other settings. The firewall just uses all of the polices it has to attempt to find a match policy with the remote Firewall/Host it is attempting to build the tunnel with to complete the IKE phase 1 portion of the VPN Process. If the remote Firewall/Host has one ISAKMP policy configured on it  and the local Firewall has 10 ISAKMP policies then the remote host will attempt to use the one policy it has while the local firewall searches its 10 policies until it finds a match for the remote Firewall. Is that right?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Charlie Mayes

‎06-22-2010 06:17 AM

Yes, you are absolutely correct. As you said, if there are 10 policies, it will try to find a match from policy with the lowest number to the highest number until it finds a match.

0 Helpful
Customers Also Viewed These Support Documents