03-28-2006 10:40 AM
ASA5520, v7.1
Question: is it possible to use an access-list as the peer address in the "set peer" command? If yes it might look like "access-list 101 permit ip 2.3.4.244 255.255.254.255" which would match exactly 2.3. and host 244, and permit subnets .4 and .5 ?
The Scenario:
Inside_net 10.130.4.0/24
|
|
inside_i/f 10.130.4.1
[asa]
outside_if 1.2.3.123
|
|
Internet cloud 2.3.4.244 and 2.3.5.244
Two remote hosts from same customer want to access me using VPN. They want two peers for redundancy/backup on their end.
This is what I have and it works:
access-list customerA_126_10018 extended permit tcp host 10.130.4.7 eq 10018 host 172.16.128.48
access-list customerA_126_10018 extended permit tcp host 10.130.4.7 eq 10018 host 172.16.128.49
access-list customerA_126_10018 extended permit tcp host 10.130.4.7 eq 10018 host 172.16.138.48
access-list customerA_126_10018 extended permit tcp host 10.130.4.7 eq 10018 host 172.16.138.49
access-list cry_customerA_132 extended permit ip host 1.2.3.126 host 172.16.138.48
access-list cry_customerA_132 extended permit ip host 1.2.3.126 host 172.16.138.49
access-list cry_customerA_133 extended permit ip host 1.2.3.126 host 172.16.128.48
access-list cry_customerA_133 extended permit ip host 1.2.3.126 host 172.16.128.49
static (servers,outside) tcp 1.2.3.126 10018 access-list customerA_126_10018
crypto map outside_map 132 match address cry_customerA_132
crypto map outside_map 132 set peer 2.3.24.244
crypto map outside_map 132 set transform-set ESP-3DES-SHA
crypto map outside_map 132 set security-association lifetime seconds 3600
crypto map outside_map 133 match address cry_customerA_133
crypto map outside_map 133 set peer 2.3.25.244
crypto map outside_map 133 set transform-set ESP-3DES-SHA
crypto map outside_map 133 set security-association lifetime seconds 3600
tunnel-group 2.3.24.244 type ipsec-l2l
tunnel-group 2.3.24.244 ipsec-attributes
pre-shared-key **********
tunnel-group 2.3.25.244 type ipsec-l2l
tunnel-group 2.3.25.244 ipsec-attributes
pre-shared-key **********
And this is what I would like to do, have one crypto map with multiple peers like this:
crypto map outside_map 132 match address cry_customerA_132
crypto map outside_map 132 set peer 2.3.24.244 2.3.25.244
crypto map outside_map 132 set transform-set ESP-3DES-SHA
crypto map outside_map 132 set security-association lifetime seconds 3600
Notice the multiple peers in the crypto map statements. Now my perusal of the docs indicates that multiple peers can be used only in cases where this end originates the tunnel. My ASA is not the originator, the 2.3.x.244 peer is the originator.
(the reason for the request is that I use the customer number in an algorithm to generate the map number, with one customer but two peers, this scheme does not work.)
Thanks
04-03-2006 10:13 AM
From my PIX 6.3 and IOS knowledge, I believe the syntax of the "set peer" command can only take an IP address for a peer and not with a mask. If the peer is not known in advance, then you need to use "dynamic crypto-map".
06-29-2007 06:33 AM
I believe you can do the following:
crypto map outside_map 132 match address cry_customerA_132
crypto map outside_map 132 set peer 2.3.24.244
crypto map outside_map 132 set peer 2.3.25.244
crypto map outside_map 132 set transform-set ESP-3DES-SHA
crypto map outside_map 132 set security-association lifetime seconds 3600
07-03-2007 11:27 PM
My query for the above.
Does an outbound connection establish to both peers, or the first peer it recieves a response from.
Would appreciate any comments.
Tim
07-03-2007 11:44 PM
Hi Tim
My understanding is that it tries the first peer in the list and if there is no response then it will try the next peer.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide