Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Different "access-list outside_cryptomap" for every VPN?

Hi,

Just for my understanding.

I have one VPN connected to my Cisco ASA 5520, when I tried to add another VPN the I have to create a 2nd cryptomap, can I not create a group so there is one crypto map?

Currently I have:

access-list outside_cryptomap_1 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.15.0 255.255.255.0

I have just added access-list outside_cryptomap_2 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.2.0 255.255.255.0

But wondered if I could use some thing like:

access-list outside_mycryptomap line 1 extended permit ip 0.0.0.0 0.0.0.0 object-group VPN_Remote_Networks

When I do this though I guess it will cause a problem with the peer address?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Different "access-list outside_cryptomap" for every VPN?

You must use different access-list in cryptomap for every VPN.

3 REPLIES

Re: Different "access-list outside_cryptomap" for every VPN?

You must use different access-list in cryptomap for every VPN.

New Member

Re: Different "access-list outside_cryptomap" for every VPN?

I know it was a simple question but very useful for me, thanks!

New Member

Re: Different "access-list outside_cryptomap" for every VPN?

Is there a certain order I need to add the config into the CLI aswell?

I have this to add:

access-list outside_MYcryptomap_1 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.15.0 255.255.255.0

crypto map outside_map 1 match address outside_MYcryptomap_1

crypto map outside_map 1 set pfs group5

crypto map outside_map 1 set peer 1.2.3.4

crypto map outside_map 1 set transform-set ESP-AES-256-SHA

crypto map outside_map 1 set security-association lifetime seconds 86400

tunnel-group 1.2.3.4 type ipsec-l2l

tunnel-group 1.2.3.4 general-attributes

default-group-policy CBSO-L2L

tunnel-group 1.2.3.4 ipsec-attributes

pre-shared-key abcdefgh

584
Views
0
Helpful
3
Replies