I've done this quite a bit. Just setup a new access-list to define the match traffic, setup a new crypto map with a different number, setup NAT and setup routes to take traffic through your VPN interface. For example:
access-list first_vpn permit ip any 192.168.1.0 255.255.255.0
access-list second_vpn permit ip any 192.168.2.0 255.255.255.0
Your ISAKMP policy can stay the same, unless you have different requirements for each VPN.
It sounds like you are using an interface just for your VPN traffic - this interface can handle multiple VPNs. If you have already configured your NAT for your other VPN, just add the new private (remote) network to the access list that corresponds with your NAT statements. For example:
nat (inside) 0 access-list vpn_nat_inside
The vpn_nat_inside acl contains all of the remote private networks
Thanks for your help! There is an additional wrinkle, which I didn't realize at the time of my original posting...
Looks like I would be adding the "third" VPN to the outside interface. The first looks like a PIX-to-PIX setup with MANY access-list statements so site B can output to printers at site A. The second VPN uses dynamic map for the dial-up VPN clients coming into site A. Both VPN's use different ISAKMP policies but both are assigned to what you define above as "vpn_nat_inside." In this case it is "115." Not sure how the dynamic map dial-up clients are working since NAT'ing is disabled with: nat (outside) 0 access-list 115 (Hmmmm???)
My third VPN would be similar to the first VPN.
Since one can only have one "nat (outside) 0 access-list xxx" defined, I tried the following (without success):
VPN1 and VPN2 (dyn) were already assigned to ACL 115 (and working well.)
VPN3 defined and assigned to ACL 113.
Defined ACL 117 to be inclusive of 113 and 115.
set: nat (outside) 0 access-list 117
I also made sure there was only 1 crypto map (RTPMAP) and each of the VPN's were a different sequence (10, 20, 30).
Result: First 2 VPN's stopped working, according to customer and the third VPN couldn't be confirmed as working or not. Rebooted and got things back to where they were to make the customer happy.
Any ideas of what went wrong?? I'm at my wits end with this one. I'll comb through the links to get some ideas on my own but if anyone sees a blaring error in my thinking, please point them out to me.
Thanks a plenty - this is an invaluable forum!! -Tai
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :