Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8616
Views
5
Helpful
6
Replies

MULTIPLE CRYPTO MAP

Go to solution
edimonte1980
Level 1
Level 1

‎05-15-2006 07:16 AM - edited ‎03-09-2019 02:54 PM

I would like to have two crypto map to one interface. Is that possible?

Example

crypto map mymap 1000 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication LOCAL

crypto map mymap interface outside

crypto map map_london 20 ipsec-isakmp

crypto map map_london 20 match address acl_london

crypto map map_london 20 set pfs group2

crypto map map_london 20 set peer aa.bb.cc.dd

crypto map map_london interface outside

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Fernando_Meza
Level 7
Level 7
In response to edimonte1980

‎05-16-2006 03:19 AM

you can only bind one crypto map to an interface. you can have many tunnels on the same crypto map ( dynamic maps inluded ) by creating a new policy number.

For example

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer x.x.x.x

crypto map outside_map 20 set transform-set AWU_Transform

crypto map outside_map 40 ipsec-isakmp

crypto map outside_map 40 match address outside_cryptomap_40

crypto map outside_map 40 set pfs group2

crypto map outside_map 40 set peer y.y.y.y

crypto map outside_map 40 set transform-set AWU_Transform

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

I hope it helps .. please rate it if it does !!!

View solution in original post

Go to solution
jmia
Level 7
Level 7
In response to edimonte1980

‎05-16-2006 03:28 AM

Here's an example, the reason I've got two statements for crypto ACL is so that it doesn't cause problems with PDM. AS PDM don't like same statement in two placeS within the configuration.

access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list 100 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list 200 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list 300 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list 400 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

nat (inside) 0 access-list nonat

sysopt connection permit-ipsec

crypto ipsec transform-set TEST esp-3des esp-md5-hmac

crypto map MYMAP 10 ipsec-isakmp

crypto map MYMAP 10 match address 100

crypto map MYMAP 10 set peer x.x.x.x

crypto map MYMAP 10 set transform-set TEST

crypto map MYMAP 20 ipsec-isakmp

crypto map MYMAP 20 match address 200

crypto map MYMAP 20 set peer x.x.x.x

crypto map MYMAP 20 set transform-set TEST

crypto map MYMAP 30 ipsec-isakmp

crypto map MYMAP 30 match address 300

crypto map MYMAP 30 set peer x.x.x.x

crypto map MYMAP 30 set transform-set TEST

crypto map MYMAP 40 ipsec-isakmp

crypto map MYMAP 40 match address 400

crypto map MYMAP 40 set peer x.x.x.x

crypto map MYMAP 40 set transform-set TEST

crypto map MYMAP interface outside

isakmp enable outside

isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255

isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255

isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255

isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Hope this helps, please rate post if it does.

Jay

View solution in original post

0 Helpful
6 Replies 6

Go to solution
jmia
Level 7
Level 7

‎05-15-2006 07:30 AM

YES!

0 Helpful

Go to solution
edimonte1980
Level 1
Level 1
In response to jmia

‎05-16-2006 01:19 AM

How do I do it?

0 Helpful

Go to solution
Fernando_Meza
Level 7
Level 7
In response to edimonte1980

‎05-16-2006 03:19 AM

you can only bind one crypto map to an interface. you can have many tunnels on the same crypto map ( dynamic maps inluded ) by creating a new policy number.

For example

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer x.x.x.x

crypto map outside_map 20 set transform-set AWU_Transform

crypto map outside_map 40 ipsec-isakmp

crypto map outside_map 40 match address outside_cryptomap_40

crypto map outside_map 40 set pfs group2

crypto map outside_map 40 set peer y.y.y.y

crypto map outside_map 40 set transform-set AWU_Transform

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

I hope it helps .. please rate it if it does !!!

Go to solution
jmia
Level 7
Level 7
In response to edimonte1980

‎05-16-2006 03:28 AM

Here's an example, the reason I've got two statements for crypto ACL is so that it doesn't cause problems with PDM. AS PDM don't like same statement in two placeS within the configuration.

access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list 100 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list 200 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list 300 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list 400 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0

nat (inside) 0 access-list nonat

sysopt connection permit-ipsec

crypto ipsec transform-set TEST esp-3des esp-md5-hmac

crypto map MYMAP 10 ipsec-isakmp

crypto map MYMAP 10 match address 100

crypto map MYMAP 10 set peer x.x.x.x

crypto map MYMAP 10 set transform-set TEST

crypto map MYMAP 20 ipsec-isakmp

crypto map MYMAP 20 match address 200

crypto map MYMAP 20 set peer x.x.x.x

crypto map MYMAP 20 set transform-set TEST

crypto map MYMAP 30 ipsec-isakmp

crypto map MYMAP 30 match address 300

crypto map MYMAP 30 set peer x.x.x.x

crypto map MYMAP 30 set transform-set TEST

crypto map MYMAP 40 ipsec-isakmp

crypto map MYMAP 40 match address 400

crypto map MYMAP 40 set peer x.x.x.x

crypto map MYMAP 40 set transform-set TEST

crypto map MYMAP interface outside

isakmp enable outside

isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255

isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255

isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255

isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Hope this helps, please rate post if it does.

Jay

0 Helpful

Go to solution
Fernando_Meza
Level 7
Level 7

‎05-16-2006 03:28 AM

please advice what are you trying to achieve ..

0 Helpful

Go to solution
edimonte1980
Level 1
Level 1
In response to Fernando_Meza

‎05-16-2006 06:50 AM

I was trying to connect multiple VPN clients with dyn-map and a VPN-point-to-point, everthing on the same interface. Thanks all of you for your help.

Regards,

Eduardo

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents