cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1797
Views
15
Helpful
6
Replies
mahesh18
Frequent Contributor

Applying two crypto map to same interface caused outage

Hi everyone,

 

Seems on Cisco ASA 8.2 we have remote vpn configured with crypto  map name VPN.

I did config for site to site IPSEC tunnel with new crypto map name L2L.

 

When i apply this new crypto map to the outside interface then old crypto map VPN was no longer applied to the

outside interface.

 

Need to confirm if this is by design?

 

Old crypto map policy number is 10

new crypto map plicy number was 20

 

Regards

Mahesh 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Marvin Rhoads
VIP Community Legend

Only one "crypto map <name>" can be applied to a given interface at one time.

As implied, we use sequence numbers within the crypto map to accommodate multiple distinct VPNs.

As long as the ACLs for matching ("interesting") traffic don't have any overlaps or conflicts it will work fine.

View solution in original post

6 REPLIES 6
kapydan88
Enthusiast

Hello.

 

Yes, you can do this - but you need to increase sequence number - in my example its 10 and 20.

 

crypto map WAN_MAP 10 match address 123
crypto map WAN_MAP 10 set peer 3.13.24.2
crypto map WAN_MAP 10 set ikev1 transform-set dessha
crypto map WAN_MAP 10 set security-association lifetime seconds 28800
crypto map WAN_MAP 10 set security-association lifetime kilobytes 4608000
crypto map WAN_MAP 10 set reverse-route
crypto map WAN_MAP 20 match address 11
crypto map WAN_MAP 20 set pfs group14
crypto map WAN_MAP 20 set peer 9.16.43.8
crypto map WAN_MAP 20 set ikev2 ipsec-proposal AES256-SHA512
crypto map WAN_MAP 20 set security-association lifetime seconds 3600
crypto map WAN_MAP 20 set security-association lifetime kilobytes 4608000

 

crypto map WAN_MAP interface <outside interface name>

mahesh18
Frequent Contributor

I was asking if we can apply two different crypto map names to same interface?

for example

 

crypto map  test1

crypto map  test 2 

 

 

I was asking if we can apply two different crypto map names to same interface? - No.

mahesh18
Frequent Contributor

thanks for answering the question.

Currently we have sequence number 10 and 65535 for remote vpn users.

 

if i use sequence number 20  for IPSEC lan to lan tunnel then it should not cause any issues right?

Marvin Rhoads
VIP Community Legend

Only one "crypto map <name>" can be applied to a given interface at one time.

As implied, we use sequence numbers within the crypto map to accommodate multiple distinct VPNs.

As long as the ACLs for matching ("interesting") traffic don't have any overlaps or conflicts it will work fine.

mahesh18
Frequent Contributor

Many Thanks Marvin.