02-16-2006 09:39 AM - edited 03-09-2019 01:57 PM
Hiya, I'm having a wee problem with a PIX 515 UR on FOS 6.3 (1).
What I'm trying to do is run 2 site to site vpns to it. The thing is: although I can enter two separate crypt maps in the config, its only the most recent one which is active when I do a 'sh crypto sa'.
Anyone have any ideas?
TIA-
Gary
Solved! Go to Solution.
02-16-2006 12:08 PM
I do multiples like this:
I have the main map applied to the outside:
crypto map toXXXX interface outside
Then I build more maps calling out ACL's like so:
crypto map toXXXX 20 ipsec-isakmp
crypto map toXXXX 20 match address no_nat(ACL Name)
crypto map toXXXX 20 set peer x.x.x.x
crypto map toXXXX 20 set transform-set mytrans
crypto map toXXXX 20 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map toXXXX 40 ipsec-isakmp
crypto map toXXXX 40 match address toACME (ACL Name)
crypto map toXXXX 40 set peer x.x.x.x
crypto map toXXXX 40 set transform-set mytrans
crypto map toXXXX 40 set security-association lifetime seconds 3600 kilobytes 4608000
02-17-2006 01:15 AM
Hi Gary,
You can use sequence numbers to create multiple tunnel configurations and after all of that you will still be using s single crypto map just like this:
(config)#crypto map L2L-VPN 10 match address VPN-ACL01
(config)#crypto map L2L-VPN 10 set peer x.x.x.x
(config)#crypto map L2L-VPN 10 set transform-set TRANS01
(config)#crypto map L2L-VPN 10 match address VPN-ACL02
(config)#crypto map L2L-VPN 10 set peer y.y.y.y
(config)#crypto map L2L-VPN 10 set transform-set TRANS02
(config)#crypto map L2L-VPN interface outside
Hope you find this applicable and helpful.
Salem.
02-16-2006 12:08 PM
I do multiples like this:
I have the main map applied to the outside:
crypto map toXXXX interface outside
Then I build more maps calling out ACL's like so:
crypto map toXXXX 20 ipsec-isakmp
crypto map toXXXX 20 match address no_nat(ACL Name)
crypto map toXXXX 20 set peer x.x.x.x
crypto map toXXXX 20 set transform-set mytrans
crypto map toXXXX 20 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map toXXXX 40 ipsec-isakmp
crypto map toXXXX 40 match address toACME (ACL Name)
crypto map toXXXX 40 set peer x.x.x.x
crypto map toXXXX 40 set transform-set mytrans
crypto map toXXXX 40 set security-association lifetime seconds 3600 kilobytes 4608000
02-17-2006 01:15 AM
Hi Gary,
You can use sequence numbers to create multiple tunnel configurations and after all of that you will still be using s single crypto map just like this:
(config)#crypto map L2L-VPN 10 match address VPN-ACL01
(config)#crypto map L2L-VPN 10 set peer x.x.x.x
(config)#crypto map L2L-VPN 10 set transform-set TRANS01
(config)#crypto map L2L-VPN 10 match address VPN-ACL02
(config)#crypto map L2L-VPN 10 set peer y.y.y.y
(config)#crypto map L2L-VPN 10 set transform-set TRANS02
(config)#crypto map L2L-VPN interface outside
Hope you find this applicable and helpful.
Salem.
02-17-2006 09:13 AM
Thanks guys- both of you had hit the nail on the head. I had devised 2 crypto maps, thinking that was the way to do it. I've only 1 map now, and 2 sets of sequence numbers, acls, etc.
All working now- thanks and regards for taking the trouble to answer.
Gary
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide