05-05-2020 05:14 PM
Hi everyone,
Seems on Cisco ASA 8.2 we have remote vpn configured with crypto map name VPN.
I did config for site to site IPSEC tunnel with new crypto map name L2L.
When i apply this new crypto map to the outside interface then old crypto map VPN was no longer applied to the
outside interface.
Need to confirm if this is by design?
Old crypto map policy number is 10
new crypto map plicy number was 20
Regards
Mahesh
Solved! Go to Solution.
05-06-2020 01:28 AM
Only one "crypto map <name>" can be applied to a given interface at one time.
As implied, we use sequence numbers within the crypto map to accommodate multiple distinct VPNs.
As long as the ACLs for matching ("interesting") traffic don't have any overlaps or conflicts it will work fine.
05-05-2020 07:58 PM
Hello.
Yes, you can do this - but you need to increase sequence number - in my example its 10 and 20.
crypto map WAN_MAP 10 match address 123
crypto map WAN_MAP 10 set peer 3.13.24.2
crypto map WAN_MAP 10 set ikev1 transform-set dessha
crypto map WAN_MAP 10 set security-association lifetime seconds 28800
crypto map WAN_MAP 10 set security-association lifetime kilobytes 4608000
crypto map WAN_MAP 10 set reverse-route
crypto map WAN_MAP 20 match address 11
crypto map WAN_MAP 20 set pfs group14
crypto map WAN_MAP 20 set peer 9.16.43.8
crypto map WAN_MAP 20 set ikev2 ipsec-proposal AES256-SHA512
crypto map WAN_MAP 20 set security-association lifetime seconds 3600
crypto map WAN_MAP 20 set security-association lifetime kilobytes 4608000
crypto map WAN_MAP interface <outside interface name>
05-05-2020 08:31 PM
I was asking if we can apply two different crypto map names to same interface?
for example
crypto map test1
crypto map test 2
05-05-2020 08:37 PM
I was asking if we can apply two different crypto map names to same interface? - No.
05-05-2020 09:41 PM
thanks for answering the question.
Currently we have sequence number 10 and 65535 for remote vpn users.
if i use sequence number 20 for IPSEC lan to lan tunnel then it should not cause any issues right?
05-06-2020 01:28 AM
Only one "crypto map <name>" can be applied to a given interface at one time.
As implied, we use sequence numbers within the crypto map to accommodate multiple distinct VPNs.
As long as the ACLs for matching ("interesting") traffic don't have any overlaps or conflicts it will work fine.
05-06-2020 04:51 AM
Many Thanks Marvin.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide