Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

2 Crypto maps on outside interface? Possible?

Hiya, I'm having a wee problem with a PIX 515 UR on FOS 6.3 (1).

What I'm trying to do is run 2 site to site vpns to it. The thing is: although I can enter two separate crypt maps in the config, its only the most recent one which is active when I do a 'sh crypto sa'.

Anyone have any ideas?

TIA-

Gary

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: 2 Crypto maps on outside interface? Possible?

I do multiples like this:

I have the main map applied to the outside:

crypto map toXXXX interface outside

Then I build more maps calling out ACL's like so:

crypto map toXXXX 20 ipsec-isakmp

crypto map toXXXX 20 match address no_nat(ACL Name)

crypto map toXXXX 20 set peer x.x.x.x

crypto map toXXXX 20 set transform-set mytrans

crypto map toXXXX 20 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map toXXXX 40 ipsec-isakmp

crypto map toXXXX 40 match address toACME (ACL Name)

crypto map toXXXX 40 set peer x.x.x.x

crypto map toXXXX 40 set transform-set mytrans

crypto map toXXXX 40 set security-association lifetime seconds 3600 kilobytes 4608000

New Member

Re: 2 Crypto maps on outside interface? Possible?

Hi Gary,

You can use sequence numbers to create multiple tunnel configurations and after all of that you will still be using s single crypto map just like this:

(config)#crypto map L2L-VPN 10 match address VPN-ACL01

(config)#crypto map L2L-VPN 10 set peer x.x.x.x

(config)#crypto map L2L-VPN 10 set transform-set TRANS01

(config)#crypto map L2L-VPN 10 match address VPN-ACL02

(config)#crypto map L2L-VPN 10 set peer y.y.y.y

(config)#crypto map L2L-VPN 10 set transform-set TRANS02

(config)#crypto map L2L-VPN interface outside

Hope you find this applicable and helpful.

Salem.

3 REPLIES
New Member

Re: 2 Crypto maps on outside interface? Possible?

I do multiples like this:

I have the main map applied to the outside:

crypto map toXXXX interface outside

Then I build more maps calling out ACL's like so:

crypto map toXXXX 20 ipsec-isakmp

crypto map toXXXX 20 match address no_nat(ACL Name)

crypto map toXXXX 20 set peer x.x.x.x

crypto map toXXXX 20 set transform-set mytrans

crypto map toXXXX 20 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map toXXXX 40 ipsec-isakmp

crypto map toXXXX 40 match address toACME (ACL Name)

crypto map toXXXX 40 set peer x.x.x.x

crypto map toXXXX 40 set transform-set mytrans

crypto map toXXXX 40 set security-association lifetime seconds 3600 kilobytes 4608000

New Member

Re: 2 Crypto maps on outside interface? Possible?

Hi Gary,

You can use sequence numbers to create multiple tunnel configurations and after all of that you will still be using s single crypto map just like this:

(config)#crypto map L2L-VPN 10 match address VPN-ACL01

(config)#crypto map L2L-VPN 10 set peer x.x.x.x

(config)#crypto map L2L-VPN 10 set transform-set TRANS01

(config)#crypto map L2L-VPN 10 match address VPN-ACL02

(config)#crypto map L2L-VPN 10 set peer y.y.y.y

(config)#crypto map L2L-VPN 10 set transform-set TRANS02

(config)#crypto map L2L-VPN interface outside

Hope you find this applicable and helpful.

Salem.

New Member

Re: 2 Crypto maps on outside interface? Possible?

Thanks guys- both of you had hit the nail on the head. I had devised 2 crypto maps, thinking that was the way to do it. I've only 1 map now, and 2 sets of sequence numbers, acls, etc.

All working now- thanks and regards for taking the trouble to answer.

Gary

147
Views
0
Helpful
3
Replies
CreatePlease to create content