Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
635
Views
0
Helpful
4
Replies

SITE 2 SITE VPN

saroj pradhan
Level 1
Level 1

‎02-11-2013 05:31 PM - edited ‎03-11-2019 05:59 PM

Hi,

i have  cisco  ASA5510  Firewall and  configured   one  site to VPN . i  want  to   configure  another  s2s vpn  in  the FW for  another   Site location.

please advice  what  to  in the existing  Firewall  so that  2  site to site  vpn  can work.

Thanks,

Saroj

Labels:
0 Helpful
4 Replies 4

Julio Carvajal
VIP Alumni
VIP Alumni

‎02-11-2013 09:15 PM

Hello Saroj,

Pretty much you must configure another entry into the crypto map already configured pointing to the new peer, using a different CRYPTO-ACL ( including the traffic to be encrypted between the sites) also the transform set and the peer ip address as usual ( You already know how to do this as you already setup one)

Then finally configure a new tunnel group pointing to the other VPN endpoint ip address and specify the pre-shared key here as well,

Remember to configure the NO_Nat rules for the VPN traffic as well

Let me know if I was clear enough

Regards,

Julio

Security Trainer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

krishnanand.yadav
Level 1
Level 1
In response to Julio Carvajal

‎02-11-2013 09:44 PM

Hi Jcarvaja,

Q1. Is it possible to use same crypto map for second tunnel or there should be another Crypto Map policy? ( I mean crypto Map number or name)

Q2. Do i need to have two different local subnet for creating S2S VPN tunnels for two different sites or one local subnet can be used for both?

Q3. One No-NAT ststement will work for both or we need to create two NO-NAT statement for two tunnels.

I am little confused with this. Please bear with me if it sound silly question.

Regards,

Krish

0 Helpful

Anukalp S
Level 1
Level 1
In response to krishnanand.yadav

‎02-12-2013 05:48 AM

Hello Krishan.

Ans 1 : Since you are configuring tunnel for another site location so it would be good to configure another cryptomap number & name. Cryptomap transform set "name" could be same.

Ans 2 : Subnets should be different otherwise managing routing could be massive for you.

Ans 3 : Since you use different subnets, you could make two access-list fo NO-NAT or configure it in one access-list with subnet mask which carry both subnetwork for both sites.

Pls rate if it is helpful.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to krishnanand.yadav

‎02-12-2013 07:49 AM

Hello,

1) You can only have one crypto-map per interface so you must use the same one just that you will use a different entry for each tunnel and then specific parameter to each of those entries.

2) It is preferred to have different subnets but if you have the same then you would need to play  with the NAT rules to allow the VPN to go up, so you can have them but it will require more work.

3) On the same NAT rule ( with the same ACL for the NO_NAT generate the required amount of entries to allow this VPN to go up,

Regards

Remember to rate all of the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card