Re: multiple peers - same crypto map?

jforst · ‎03-28-2006

ASA5520, v7.1

Question: is it possible to use an access-list as the peer address in the "set peer" command? If yes it might look like "access-list 101 permit ip 2.3.4.244 255.255.254.255" which would match exactly 2.3. and host 244, and permit subnets .4 and .5 ?

The Scenario:

Inside_net 10.130.4.0/24

|

inside_i/f 10.130.4.1

[asa]

outside_if 1.2.3.123

|

Internet cloud 2.3.4.244 and 2.3.5.244

Two remote hosts from same customer want to access me using VPN. They want two peers for redundancy/backup on their end.

This is what I have and it works:

access-list customerA_126_10018 extended permit tcp host 10.130.4.7 eq 10018 host 172.16.128.48

access-list customerA_126_10018 extended permit tcp host 10.130.4.7 eq 10018 host 172.16.128.49

access-list customerA_126_10018 extended permit tcp host 10.130.4.7 eq 10018 host 172.16.138.48

access-list customerA_126_10018 extended permit tcp host 10.130.4.7 eq 10018 host 172.16.138.49

access-list cry_customerA_132 extended permit ip host 1.2.3.126 host 172.16.138.48

access-list cry_customerA_132 extended permit ip host 1.2.3.126 host 172.16.138.49

access-list cry_customerA_133 extended permit ip host 1.2.3.126 host 172.16.128.48

access-list cry_customerA_133 extended permit ip host 1.2.3.126 host 172.16.128.49

static (servers,outside) tcp 1.2.3.126 10018 access-list customerA_126_10018

crypto map outside_map 132 match address cry_customerA_132

crypto map outside_map 132 set peer 2.3.24.244

crypto map outside_map 132 set transform-set ESP-3DES-SHA

crypto map outside_map 132 set security-association lifetime seconds 3600

crypto map outside_map 133 match address cry_customerA_133

crypto map outside_map 133 set peer 2.3.25.244

crypto map outside_map 133 set transform-set ESP-3DES-SHA

crypto map outside_map 133 set security-association lifetime seconds 3600

tunnel-group 2.3.24.244 type ipsec-l2l

tunnel-group 2.3.24.244 ipsec-attributes

pre-shared-key **********

tunnel-group 2.3.25.244 type ipsec-l2l

tunnel-group 2.3.25.244 ipsec-attributes

pre-shared-key **********

And this is what I would like to do, have one crypto map with multiple peers like this:

crypto map outside_map 132 match address cry_customerA_132

crypto map outside_map 132 set peer 2.3.24.244 2.3.25.244

crypto map outside_map 132 set transform-set ESP-3DES-SHA

crypto map outside_map 132 set security-association lifetime seconds 3600

Notice the multiple peers in the crypto map statements. Now my perusal of the docs indicates that multiple peers can be used only in cases where this end originates the tunnel. My ASA is not the originator, the 2.3.x.244 peer is the originator.

(the reason for the request is that I use the customer number in an algorithm to generate the map number, with one customer but two peers, this scheme does not work.)

Thanks

vkapoor5 · ‎04-03-2006

From my PIX 6.3 and IOS knowledge, I believe the syntax of the "set peer" command can only take an IP address for a peer and not with a mask. If the peer is not known in advance, then you need to use "dynamic crypto-map".

jriegerasi · ‎06-29-2007

I believe you can do the following:

crypto map outside_map 132 match address cry_customerA_132

crypto map outside_map 132 set peer 2.3.24.244

crypto map outside_map 132 set peer 2.3.25.244

crypto map outside_map 132 set transform-set ESP-3DES-SHA

crypto map outside_map 132 set security-association lifetime seconds 3600

timkaye · ‎07-03-2007

My query for the above.

Does an outbound connection establish to both peers, or the first peer it recieves a response from.

Would appreciate any comments.

Tim

Jon Marshall · ‎07-03-2007

Hi Tim

My understanding is that it tries the first peer in the list and if there is no response then it will try the next peer.

Jon