Can Dynamic crypto map coexist with static crypto map on one router?
I have an 1841 router that we've been using as our L2L VPN hub at our main office. All of our home office users have L2L IPSec VPNs that terminate on that router. Currently, they all have various broadband connections with static IP addresses and 870 series routers at their homes.
I have one user who cannot get a static IP address, so I am wondering, can I add a dynamic crypto map to this router without affecting the existing static ones?
Relevant parts of the 1841 config:
! ! crypto isakmp policy 2 encr aes authentication pre-share group 2 crypto isakmp key ** address 220.127.116.11 crypto isakmp key ** address 18.104.22.168 crypto isakmp key ** address 22.214.171.124 crypto isakmp key ** address 126.96.36.199 crypto isakmp key ** address 188.8.131.52 crypto isakmp key ** address 184.108.40.206 crypto isakmp key ** address 220.127.116.11 ! ! crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac ! crypto map chris-vpn 5 ipsec-isakmp description Tunnel to cnc.chris.877 set peer 18.104.22.168 set transform-set ESP-AES-MD5 match address Chris-IPSec crypto map chris-vpn 6 ipsec-isakmp description Tunnel to cnc.lance.871 set peer 22.214.171.124 set transform-set ESP-AES-MD5 match address Lance-IPSec crypto map chris-vpn 7 ipsec-isakmp description Tunnel to cnc.scott.877 set peer 126.96.36.199 set transform-set ESP-AES-MD5 match address Scott-IPSec crypto map chris-vpn 8 ipsec-isakmp description Tunnel to Katy's Office set peer 188.8.131.52 set transform-set ESP-AES-MD5 match address Katy-IPSec crypto map chris-vpn 9 ipsec-isakmp description Tunnel to Vicci's Office set peer 184.108.40.206 set transform-set ESP-AES-MD5 match address Vicci-IPSec crypto map chris-vpn 10 ipsec-isakmp description Tunnel to Dan's Office set peer 220.127.116.11 set transform-set ESP-AES-MD5 match address Dan-IPSec crypto map chris-vpn 11 ipsec-isakmp description Tunnel to cnc.charlene.871 (Charlene's Home) set peer 18.104.22.168 set transform-set ESP-AES-MD5 match address Charlene-IPSec ! ! ! interface FastEthernet0/0 ip address 22.214.171.124 255.255.255.224 ip access-group sdm_fastethernet0/0_in in duplex auto speed auto crypto map chris-vpn ! interface FastEthernet0/1 ip address 10.99.1.1 255.255.255.252 speed 100 full-duplex
I've been looking at the crypto dynamic-map command, but I had thought you could apply only one map to an interface, and I only have one outside ethernet interface.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...