Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Multiple site-to-site VPNs on same ASA

I need to set up an IPSEC tunnel to let a vendor at a remote site print to a printer on my network.  I am planning to use an ASA 5520 to do this.  The architecture is pretty simple:

[Remote computer] -- [Remote FW] --<VPN Tunnel>-- [Local FW] -- [Local Routing] -- [Printer]

The caveat is that there will eventually be more than one vender needing to do this.  Each will have a different destination but that mena there will be more than one VPN connection to the ASA at my end.  It looks like the ASA 5520 can support more than one site-to-site VPN but will I need to assign a different endpoint IP address to each tunnel?

I searched and didn't find a design guide for multiple site-to-site VPNs.  If one exists I'd appreciate a pointer.

--

Stephen

 

1 ACCEPTED SOLUTION

Accepted Solutions

You can do multiple site-to

You can do multiple site-to-site VPN tunnels.  Typically, you would have a crypto map applied to the internet facing interface.  Each crypto map entry has a sequence number. You would simply create all of the necessary configuration (tunnel-group for the remote peer IP, ACL to define interesting traffic, etc.) and increment the crypto map entry.

 

Example:
crypto map outside_map 1 match address s2s-VPN-1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.2.3.4
crypto map outside_map 1 set transform-set ESP-3DES-SHA

tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 ipsec-attributes
 ikev1 pre-shared-key SomeSecureKey$

crypto map outside_map 2 match address s2s-VPN-2
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 4.5.6.7
crypto map outside_map 2 set transform-set ESP-3DES-SHA

tunnel-group 4.5.6.7 type ipsec-l2l
tunnel-group 4.5.6.7 ipsec-attributes
 ikev1 pre-shared-key SomeSecureKey2$

 

 

 

 

1 REPLY

You can do multiple site-to

You can do multiple site-to-site VPN tunnels.  Typically, you would have a crypto map applied to the internet facing interface.  Each crypto map entry has a sequence number. You would simply create all of the necessary configuration (tunnel-group for the remote peer IP, ACL to define interesting traffic, etc.) and increment the crypto map entry.

 

Example:
crypto map outside_map 1 match address s2s-VPN-1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.2.3.4
crypto map outside_map 1 set transform-set ESP-3DES-SHA

tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 ipsec-attributes
 ikev1 pre-shared-key SomeSecureKey$

crypto map outside_map 2 match address s2s-VPN-2
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 4.5.6.7
crypto map outside_map 2 set transform-set ESP-3DES-SHA

tunnel-group 4.5.6.7 type ipsec-l2l
tunnel-group 4.5.6.7 ipsec-attributes
 ikev1 pre-shared-key SomeSecureKey2$

 

 

 

 

656
Views
0
Helpful
1
Replies
CreatePlease login to create content