10-12-2006 02:21 AM
I have a ASA and am running remote access vpn
On that same ASA I need to set up a site to site vpn with the router 7200 series at the other end
Can I do that on the same ASA ?
I am new to vpn
would be greatful if you can provide any document
I have a free interface on the ASA and a public ip on the outside interface
10-12-2006 04:30 AM
Hello,
Yes you can do both RA VPN and LAN-to-LAN VPN on the same ASA appliance. Please see following documentation for example configuration on an ASA.
Regards
Pradeep
10-12-2006 07:51 PM
Hi,
Thanks for your reply .
Appreciate your help .
I will try to configure the ASA.
The only chnange I would need to do is for the access list only since rest of the config stays the same.
Rajashree
10-12-2006 09:20 PM
Hi,
Could any one please help with the config :
Right now we have remote access vpn .
When we set up site to site vpn on the same ASA :
1)What command so I need to configure so that preshare authentication takes precedence over username and pass word authentication ?
2)There is a crypto map that already has a 65535 priority.What can I do so that when I create another crypto map for site to site this should get a higher proirity.
I would need to create a new crypto map and assign it a higher priority .
3)I would not have to create a the isakmp policies .It should be the same for the remote access configuration Correct ?
In this config:
I was wondering why is this line here :
access-list 150 extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
Thanks for your help
Raj
10-16-2006 01:22 AM
Hi,
Anyone has any sugestions on this.
I would set up a vpn site to site in another interface and already have remote access vpn in another interface
what are the points I should have in mind like
1)What command so I need to configure so that preshare authentication takes precedence over username and pass word authentication ?
2)There is a crypto map that already has a 65535 priority.What can I do so that when I create another crypto map for site to site this should get a higher proirity.
I would need to create a new crypto map and assign it a higher priority .
I will add a route for the public ip as already I have a default route in the outside interface.
Thanks in advance
Raj
10-16-2006 07:00 AM
Hello Raj,
Let's assume that the remote peer is 10.10.10.1. Alo note that the map name should be the same as that you have for the remote access setup.
Given that you will need to do the following (type ipsec-l2l means lan-to-lan):
1)What command so I need to configure so that preshare authentication takes precedence over username and pass word authentication ?
tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
pre-shared-key
2)There is a crypto map that already has a 65535 priority.What can I do so that when I create another crypto map for site to site this should get a higher proirity.
I would need to create a new crypto map and assign it a higher priority .
crypto map
crypto map
crypto map
3)I would not have to create a the isakmp policies .It should be the same for the remote access configuration Correct ?
Not necessary as long as the ISAKMP policy matches the other end.
4. Not sure as to why the List (access-list 150 extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0) is there.
Regards
Pradeep
10-16-2006 08:56 AM
Hi Raj,
First of all there can be only one crypto map applied per interface. So you have to use the existing crypto map (with the same name) only the priority number would be different.
Let's say priority number 65535 is used for remote access VPN so you have to use any number lower than this value for a site to site VPN.
Secondly, the access-list 150 should be called in the match address statement , you can not/ should not use the same ACL for nonat as well as the crypto map. Its not recommended. As the nonat ACL remains the same for all Site to site and remote access VPN tunnels but the crypto ACL is different and unique for each site to site tunnel.
I guess since they are talking about only one connection in the doc, its ok for that scenario, but will not work in your case.
Thanks
Kanishka
10-17-2006 11:14 AM
You sure can. You just need to setup seperate policy in the existing crypto map. Visit http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: