12-19-2002 08:53 AM - edited 02-21-2020 12:14 PM
I could use a general guideline for implementing more than 1 VPN using entering isakmp, crypto, and access-list commands. Also, need to know if I need to define an interface for each VPN. Please help!
12-20-2002 11:13 AM
I've done this quite a bit. Just setup a new access-list to define the match traffic, setup a new crypto map with a different number, setup NAT and setup routes to take traffic through your VPN interface. For example:
access-list first_vpn permit ip any 192.168.1.0 255.255.255.0
access-list second_vpn permit ip any 192.168.2.0 255.255.255.0
crypto ipsec transform-set Branch_Offices esp-des esp-sha-hmac
crypto map TEST 10 ipsec-isakmp
crypto map TEST 10 match address first_vpn
crypto map TEST 10 set pfs group2
crypto map TEST 10 set peer x.x.x.x
crypto map TEST 10 set transform-set Branch_Offices
crypto map TEST 10 set security-association lifetime seconds xxx kilobytes xxx
crypto map TEST 20 ipsec-isakmp
crypto map TEST 20 match address second_vpn
crypto map TEST 20 set pfs group2
crypto map TEST 20 set peer y.y.y.y
crypto map TEST 20 set transform-set Branch_Offices
crypto map TEST 20 set security-association lifetime seconds xxx kilobytes xxx
isakmp key xxx address x.x.x.x netmask 255.255.255.255
isakmp key xxx address y.y.y.y netmask 255.255.255.255
Your ISAKMP policy can stay the same, unless you have different requirements for each VPN.
It sounds like you are using an interface just for your VPN traffic - this interface can handle multiple VPNs. If you have already configured your NAT for your other VPN, just add the new private (remote) network to the access list that corresponds with your NAT statements. For example:
nat (inside) 0 access-list vpn_nat_inside
The vpn_nat_inside acl contains all of the remote private networks
nat (vpn_interface) 1 192.168.1.0 255.255.255.0 0 0
You will need this if you are using the 'any' key word in your vpn
match address access-lists - in other words, all traffic goes through
the vpn, regardless of its destination
Don't forget to set up a route to take the traffic to the remote VPN's IP address and to the remote private network via your VPN interface.
route vpn_interface 192.168.1.0 255.255.255.0 vpn_gw
route vpn_interface x.x.x.x 255.255.255.255 vpn_gw
route vpn_interface 192.168.2.0 255.255.255.0 vpn_gw
route vpn_interface y.y.y.y 255.255.255.255 vpn_gw
Hope this helps.
Also, if you want to manage your remote devices through the VPN, take a look at: http://www.cisco.com/warp/public/110/pix_vpn_4094.html
As always, the tips can help: http://www.cisco.com/warp/public/707/index.shtml
12-23-2002 07:49 PM
Thanks for your help! There is an additional wrinkle, which I didn't realize at the time of my original posting...
Looks like I would be adding the "third" VPN to the outside interface. The first looks like a PIX-to-PIX setup with MANY access-list statements so site B can output to printers at site A. The second VPN uses dynamic map for the dial-up VPN clients coming into site A. Both VPN's use different ISAKMP policies but both are assigned to what you define above as "vpn_nat_inside." In this case it is "115." Not sure how the dynamic map dial-up clients are working since NAT'ing is disabled with: nat (outside) 0 access-list 115 (Hmmmm???)
My third VPN would be similar to the first VPN.
Since one can only have one "nat (outside) 0 access-list xxx" defined, I tried the following (without success):
VPN1 and VPN2 (dyn) were already assigned to ACL 115 (and working well.)
VPN3 defined and assigned to ACL 113.
Defined ACL 117 to be inclusive of 113 and 115.
set: nat (outside) 0 access-list 117
I also made sure there was only 1 crypto map (RTPMAP) and each of the VPN's were a different sequence (10, 20, 30).
Result: First 2 VPN's stopped working, according to customer and the third VPN couldn't be confirmed as working or not. Rebooted and got things back to where they were to make the customer happy.
Any ideas of what went wrong?? I'm at my wits end with this one. I'll comb through the links to get some ideas on my own but if anyone sees a blaring error in my thinking, please point them out to me.
Thanks a plenty - this is an invaluable forum!! -Tai
12-20-2002 12:16 PM
Hi,
You can use the below URL for your reference.
http://www.cisco.com/warp/public/110/pixmeshed.html
Regards,
Arul
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: