Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6997
Views
0
Helpful
5
Replies

Multiple VPN and Crypto Maps

Go to solution
jasonpullar
Level 1
Level 1

‎12-07-2011 12:23 PM

I got an ASA5510 and im trying to connect a site to site with a 5505 problem is on the 5510 I have multiple Remote Access VPNs and want to add the STS VPN in im just confirming my config.

id assume i use the same crypto map but create multiple policies and change the prioity? is this the correct way? im assuming if i created a new crypto map it would override it when i attach it to the interface.

any help from the forum would be awesome

thank ahead of time!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎12-07-2011 01:00 PM

Hello Jason,

First of all you will need to check if your license support the amount of VPN tunnels you are going to build, being the case that you have a version that supports this scenario here is what you need to know.

Lets say you already have 3 VPNs up and running and you want to add a new crypto map for a new tunnel. The crypto map you have been using and you have applied to the interface is called YYY.

crypto map YYY 1 match address xxxxx

crypto map YYY 1 set peer xx

crypto map YYY 1 set ikev1 transform-set ESP-3DES-SHA

crypto map YYY match address xxxx

crypto map YYY set peer xxx

crypto map YYY set ikev1 transform-set ESP-3DES-SHA

crypto map YYY match address xxx

crypto map YYY set peer xxx

crypto map YYY set ikev1 transform-set ESP-3DES-SHA

crypto map YYY interface outside

And the new vpn configuration will use the peer 1.1.1.1 , the acl 139 and the transform set ESP-3DES-SHA:

So you will need:

crypto map YYY 1 match address 1.1.1.1

crypto map YYY 1 set peer 139

crypto map YYY set ikev1 transform-set ESP-3DES-SHA

So the thing is you can have more than one policy or tunnel applied to the same Crypto map on the same interface.

Let me know if I understood correct your question

Regards,

Please rate helpful posts.

Julio!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jasonpullar

‎12-08-2011 03:09 PM

Hello Jason,

Thanks for the rating. I was checking the configuration you sent me and well let me beginning letting you know why you may want to use a dynamic crypto map. You will use this particular feature when your peer does not have a static IP address on their VPN_ end interface so the IP will be dynamicly changing. With this feature your ASA will be able to respond via the VPN tunnel all the connections innitiaded from their site, you will not be able to innitiate the communication.

Now in order to apply a dynamic crypto map to an interface you will need first to apply it to a crypto map in the configuration you sent me you have it configured right here:

"crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map"

If you want to have the Dynamic crypto map and the new VPN site-to-site they will need to be under the same interface, and you can only apply one crypto map per interface. so the configuration of the new VPN tunnel would be using instead of the new crypto map name using outside_ map as well.

Hope this helps.

Please rate helpful posts

Julio!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎12-07-2011 01:00 PM

Hello Jason,

First of all you will need to check if your license support the amount of VPN tunnels you are going to build, being the case that you have a version that supports this scenario here is what you need to know.

Lets say you already have 3 VPNs up and running and you want to add a new crypto map for a new tunnel. The crypto map you have been using and you have applied to the interface is called YYY.

crypto map YYY 1 match address xxxxx

crypto map YYY 1 set peer xx

crypto map YYY 1 set ikev1 transform-set ESP-3DES-SHA

crypto map YYY match address xxxx

crypto map YYY set peer xxx

crypto map YYY set ikev1 transform-set ESP-3DES-SHA

crypto map YYY match address xxx

crypto map YYY set peer xxx

crypto map YYY set ikev1 transform-set ESP-3DES-SHA

crypto map YYY interface outside

And the new vpn configuration will use the peer 1.1.1.1 , the acl 139 and the transform set ESP-3DES-SHA:

So you will need:

crypto map YYY 1 match address 1.1.1.1

crypto map YYY 1 set peer 139

crypto map YYY set ikev1 transform-set ESP-3DES-SHA

So the thing is you can have more than one policy or tunnel applied to the same Crypto map on the same interface.

Let me know if I understood correct your question

Regards,

Please rate helpful posts.

Julio!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
jasonpullar
Level 1
Level 1
In response to Julio Carvajal

‎12-07-2011 04:45 PM

Fantastic response and makes complete sense. im working with a firewall i didnt confirgure and to be honest has a ton of junk in it that i do need to fix someday but i was wondering if you could look at the config as it appears they are using dynamic maps and i am confused on the config portion

attached is my command input and the sh run crypto

any guidance would be awesome

thanks again

118549-VPN TUNNEL.txt.zip
0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jasonpullar

‎12-08-2011 03:09 PM

Hello Jason,

Thanks for the rating. I was checking the configuration you sent me and well let me beginning letting you know why you may want to use a dynamic crypto map. You will use this particular feature when your peer does not have a static IP address on their VPN_ end interface so the IP will be dynamicly changing. With this feature your ASA will be able to respond via the VPN tunnel all the connections innitiaded from their site, you will not be able to innitiate the communication.

Now in order to apply a dynamic crypto map to an interface you will need first to apply it to a crypto map in the configuration you sent me you have it configured right here:

"crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map"

If you want to have the Dynamic crypto map and the new VPN site-to-site they will need to be under the same interface, and you can only apply one crypto map per interface. so the configuration of the new VPN tunnel would be using instead of the new crypto map name using outside_ map as well.

Hope this helps.

Please rate helpful posts

Julio!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
jasonpullar
Level 1
Level 1
In response to Julio Carvajal

‎12-08-2011 03:11 PM

thanks for the reply  jcarvaja i got it figured but thanks again for all your help and quick replys

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jasonpullar

‎12-08-2011 03:31 PM

Hello Jason,

Thanks again for the rate, It has been a pleasure, any other question just let me know.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents