Issue while creating static-dynamic IPSec tunnel when another static-static tunnel already exists

Unanswered Question
May 8th, 2014
User Badges:

I am attempting to create a IPSec tunnel between my home statically-addressed ASA 5505 to a remote dynamically-addressed ASA 5505.  I have been following some steps from multiple sites, but I keep running into an issue wherein the crypto map and connection profile for a pre-existing static to static tunnel keep being overwritten (I see this in the ASDM).  How do I configure a secondary tunnel on the same ASA without overwriting the existing tunnel's settings?  

Here is the existing tunnel's settings on the home router:

access-list 101 extended permit ip object hcnet-inside object mallet-inside
...
access-list Mallet-LAN_Traffic extended permit ip object hcnet-inside object mallet-inside
...
nat (inside,any) source static hcnet-inside hcnet-inside destination static mallet-inside mallet-inside no-proxy-arp route-lookup
....
crypto ipsec ikev1 transform-set Mallet-L2L esp-aes esp-sha-hmac
crypto map Mallet-L2L 1 match address Mallet-LAN_Traffic
crypto map Mallet-L2L 1 set pfs group5
crypto map Mallet-L2L 1 set peer Mallet-WAN
crypto map Mallet-L2L 1 set ikev1 transform-set Mallet-L2L
crypto map Mallet-L2L 1 set security-association lifetime seconds 3600
crypto map Mallet-L2L interface outside
...
crypto ikev1 policy 1
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400
...
tunnel-group REMOTE-ROUTER-OUTSIDE-INTERFACE-IP-ADDRESS type ipsec-l2l
tunnel-group REMOTE-ROUTER-OUTSIDE-INTERFACE-IP-ADDRESS ipsec-attributes
 ikev1 pre-shared-key *****


Here is what I'm trying to configure for the new tunnel on the home (static) router:

access-list 101 extended permit ip object hcnet-inside object juvenile-inside
...
access-list Juvenile-LAN_Traffic extended permit ip object hcnet-inside object juvenile-inside
...
nat (inside,any) source static hcnet-inside hcnet-inside destination static juvenile-inside juvenile-inside no-proxy-arp route-lookup
...
crypto ipsec ikev1 transform-set Juvenile-L2L esp-aes esp-sha-hmac
crypto dynamic-map JUV-DYN-MAP 20 match address Juvenile-LAN_Traffic
crypto dynamic-map JUV-DYN-MAP 20 set ikev1transform-set Juvenile-L2L
crypto dynamic-map JUV-DYN-MAP 20 set pfs group2
crypto map Juvenile-L2L 20 ipsec-isakmp dynamic JUV-DYN-MAP
crypto map Juvenile-L2L 20 set security-association lifetime seconds 28800
crypto map Juvenile-L2L interface outside
...
crypto ikev1 policy 20
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
...
tunnel-group REMOTE-ASA-INSIDE-INTERFACE-IP-ADDRESS type ipsec-l2l
tunnel-group REMOTE-ASA-INSIDE-INTERFACE-IP-ADDRESS ipsec-attributes
 ikev1 pre-shared-key *****


Can anyone tell me any reason why this shouldn't work?  Why would this configuration be overwriting current IPSec configurations?  Does anyone have a better way to do this?  Any help with this is greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.