Solved: Re: 2 Crypto maps on outside interface? Possible?

0r8it · ‎02-16-2006

Hiya, I'm having a wee problem with a PIX 515 UR on FOS 6.3 (1).

What I'm trying to do is run 2 site to site vpns to it. The thing is: although I can enter two separate crypt maps in the config, its only the most recent one which is active when I do a 'sh crypto sa'.

Anyone have any ideas?

TIA-

Gary

dhartnett · ‎02-16-2006

I do multiples like this:

I have the main map applied to the outside:

crypto map toXXXX interface outside

Then I build more maps calling out ACL's like so:

crypto map toXXXX 20 ipsec-isakmp

crypto map toXXXX 20 match address no_nat(ACL Name)

crypto map toXXXX 20 set peer x.x.x.x

crypto map toXXXX 20 set transform-set mytrans

crypto map toXXXX 20 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map toXXXX 40 ipsec-isakmp

crypto map toXXXX 40 match address toACME (ACL Name)

crypto map toXXXX 40 set peer x.x.x.x

crypto map toXXXX 40 set transform-set mytrans

crypto map toXXXX 40 set security-association lifetime seconds 3600 kilobytes 4608000

View solution in original post

scheikhnajib · ‎02-17-2006

Hi Gary,

You can use sequence numbers to create multiple tunnel configurations and after all of that you will still be using s single crypto map just like this:

(config)#crypto map L2L-VPN 10 match address VPN-ACL01

(config)#crypto map L2L-VPN 10 set peer x.x.x.x

(config)#crypto map L2L-VPN 10 set transform-set TRANS01

(config)#crypto map L2L-VPN 10 match address VPN-ACL02

(config)#crypto map L2L-VPN 10 set peer y.y.y.y

(config)#crypto map L2L-VPN 10 set transform-set TRANS02

(config)#crypto map L2L-VPN interface outside

Hope you find this applicable and helpful.

Salem.