cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7552
Views
10
Helpful
1
Replies

Multiple site-to-site VPNs on same ASA

I need to set up an IPSEC tunnel to let a vendor at a remote site print to a printer on my network.  I am planning to use an ASA 5520 to do this.  The architecture is pretty simple:

[Remote computer] -- [Remote FW] --<VPN Tunnel>-- [Local FW] -- [Local Routing] -- [Printer]

The caveat is that there will eventually be more than one vender needing to do this.  Each will have a different destination but that mena there will be more than one VPN connection to the ASA at my end.  It looks like the ASA 5520 can support more than one site-to-site VPN but will I need to assign a different endpoint IP address to each tunnel?

I searched and didn't find a design guide for multiple site-to-site VPNs.  If one exists I'd appreciate a pointer.

--

Stephen

 

1 Accepted Solution

Accepted Solutions

jj27
Spotlight
Spotlight

You can do multiple site-to-site VPN tunnels.  Typically, you would have a crypto map applied to the internet facing interface.  Each crypto map entry has a sequence number. You would simply create all of the necessary configuration (tunnel-group for the remote peer IP, ACL to define interesting traffic, etc.) and increment the crypto map entry.

 

Example:
crypto map outside_map 1 match address s2s-VPN-1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.2.3.4
crypto map outside_map 1 set transform-set ESP-3DES-SHA

tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 ipsec-attributes
 ikev1 pre-shared-key SomeSecureKey$

crypto map outside_map 2 match address s2s-VPN-2
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 4.5.6.7
crypto map outside_map 2 set transform-set ESP-3DES-SHA

tunnel-group 4.5.6.7 type ipsec-l2l
tunnel-group 4.5.6.7 ipsec-attributes
 ikev1 pre-shared-key SomeSecureKey2$

 

 

 

 

View solution in original post

1 Reply 1

jj27
Spotlight
Spotlight

You can do multiple site-to-site VPN tunnels.  Typically, you would have a crypto map applied to the internet facing interface.  Each crypto map entry has a sequence number. You would simply create all of the necessary configuration (tunnel-group for the remote peer IP, ACL to define interesting traffic, etc.) and increment the crypto map entry.

 

Example:
crypto map outside_map 1 match address s2s-VPN-1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.2.3.4
crypto map outside_map 1 set transform-set ESP-3DES-SHA

tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 ipsec-attributes
 ikev1 pre-shared-key SomeSecureKey$

crypto map outside_map 2 match address s2s-VPN-2
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 4.5.6.7
crypto map outside_map 2 set transform-set ESP-3DES-SHA

tunnel-group 4.5.6.7 type ipsec-l2l
tunnel-group 4.5.6.7 ipsec-attributes
 ikev1 pre-shared-key SomeSecureKey2$

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: