cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
844
Views
0
Helpful
7
Replies

vpn tunnel connection

rajbhatt
Level 3
Level 3

I have a ASA and am running remote access vpn

On that same ASA I need to set up a site to site vpn with the router 7200 series at the other end

Can I do that on the same ASA ?

I am new to vpn

would be greatful if you can provide any document

I have a free interface on the ASA and a public ip on the outside interface

7 Replies 7

pmajumder
Level 3
Level 3

Hello,

Yes you can do both RA VPN and LAN-to-LAN VPN on the same ASA appliance. Please see following documentation for example configuration on an ASA.

http://www.cisco.com/en/US/customer/products/ps6120/products_getting_started_guide_chapter09186a00806a8373.html

Regards

Pradeep

Hi,

Thanks for your reply .

Appreciate your help .

I will try to configure the ASA.

The only chnange I would need to do is for the access list only since rest of the config stays the same.

Rajashree

Hi,

Could any one please help with the config :

Right now we have remote access vpn .

When we set up site to site vpn on the same ASA :

1)What command so I need to configure so that preshare authentication takes precedence over username and pass word authentication ?

2)There is a crypto map that already has a 65535 priority.What can I do so that when I create another crypto map for site to site this should get a higher proirity.

I would need to create a new crypto map and assign it a higher priority .

3)I would not have to create a the isakmp policies .It should be the same for the remote access configuration Correct ?

In this config:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805e8c80.shtml

I was wondering why is this line here :

access-list 150 extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

Thanks for your help

Raj

Hi,

Anyone has any sugestions on this.

I would set up a vpn site to site in another interface and already have remote access vpn in another interface

what are the points I should have in mind like

1)What command so I need to configure so that preshare authentication takes precedence over username and pass word authentication ?

2)There is a crypto map that already has a 65535 priority.What can I do so that when I create another crypto map for site to site this should get a higher proirity.

I would need to create a new crypto map and assign it a higher priority .

I will add a route for the public ip as already I have a default route in the outside interface.

Thanks in advance

Raj

Hello Raj,

Let's assume that the remote peer is 10.10.10.1. Alo note that the map name should be the same as that you have for the remote access setup.

Given that you will need to do the following (type ipsec-l2l means lan-to-lan):

1)What command so I need to configure so that preshare authentication takes precedence over username and pass word authentication ?

tunnel-group 10.10.10.1 type ipsec-l2l

tunnel-group 10.10.10.1 ipsec-attributes

pre-shared-key

2)There is a crypto map that already has a 65535 priority.What can I do so that when I create another crypto map for site to site this should get a higher proirity.

I would need to create a new crypto map and assign it a higher priority .

crypto map 10 match address

crypto map 10 set peer 10.10.10.1

crypto map set transform-set

3)I would not have to create a the isakmp policies .It should be the same for the remote access configuration Correct ?

Not necessary as long as the ISAKMP policy matches the other end.

4. Not sure as to why the List (access-list 150 extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0) is there.

Regards

Pradeep

Hi Raj,

First of all there can be only one crypto map applied per interface. So you have to use the existing crypto map (with the same name) only the priority number would be different.

Let's say priority number 65535 is used for remote access VPN so you have to use any number lower than this value for a site to site VPN.

Secondly, the access-list 150 should be called in the match address statement , you can not/ should not use the same ACL for nonat as well as the crypto map. Its not recommended. As the nonat ACL remains the same for all Site to site and remote access VPN tunnels but the crypto ACL is different and unique for each site to site tunnel.

I guess since they are talking about only one connection in the doc, its ok for that scenario, but will not work in your case.

Thanks

Kanishka

bjewell
Level 1
Level 1

You sure can. You just need to setup seperate policy in the existing crypto map. Visit http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: