05-15-2006 07:16 AM - edited 03-09-2019 02:54 PM
I would like to have two crypto map to one interface. Is that possible?
Example
crypto map mymap 1000 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
crypto map map_london 20 ipsec-isakmp
crypto map map_london 20 match address acl_london
crypto map map_london 20 set pfs group2
crypto map map_london 20 set peer aa.bb.cc.dd
crypto map map_london interface outside
Solved! Go to Solution.
05-16-2006 03:19 AM
you can only bind one crypto map to an interface. you can have many tunnels on the same crypto map ( dynamic maps inluded ) by creating a new policy number.
For example
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer x.x.x.x
crypto map outside_map 20 set transform-set AWU_Transform
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set pfs group2
crypto map outside_map 40 set peer y.y.y.y
crypto map outside_map 40 set transform-set AWU_Transform
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
I hope it helps .. please rate it if it does !!!
05-16-2006 03:28 AM
Here's an example, the reason I've got two statements for crypto ACL is so that it doesn't cause problems with PDM. AS PDM don't like same statement in two placeS within the configuration.
access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
access-list 100 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
access-list 200 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
access-list 300 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
access-list 400 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
nat (inside) 0 access-list nonat
sysopt connection permit-ipsec
crypto ipsec transform-set TEST esp-3des esp-md5-hmac
crypto map MYMAP 10 ipsec-isakmp
crypto map MYMAP 10 match address 100
crypto map MYMAP 10 set peer x.x.x.x
crypto map MYMAP 10 set transform-set TEST
crypto map MYMAP 20 ipsec-isakmp
crypto map MYMAP 20 match address 200
crypto map MYMAP 20 set peer x.x.x.x
crypto map MYMAP 20 set transform-set TEST
crypto map MYMAP 30 ipsec-isakmp
crypto map MYMAP 30 match address 300
crypto map MYMAP 30 set peer x.x.x.x
crypto map MYMAP 30 set transform-set TEST
crypto map MYMAP 40 ipsec-isakmp
crypto map MYMAP 40 match address 400
crypto map MYMAP 40 set peer x.x.x.x
crypto map MYMAP 40 set transform-set TEST
crypto map MYMAP interface outside
isakmp enable outside
isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255
isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255
isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255
isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
Hope this helps, please rate post if it does.
Jay
05-15-2006 07:30 AM
YES!
05-16-2006 01:19 AM
How do I do it?
05-16-2006 03:19 AM
you can only bind one crypto map to an interface. you can have many tunnels on the same crypto map ( dynamic maps inluded ) by creating a new policy number.
For example
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer x.x.x.x
crypto map outside_map 20 set transform-set AWU_Transform
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set pfs group2
crypto map outside_map 40 set peer y.y.y.y
crypto map outside_map 40 set transform-set AWU_Transform
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
I hope it helps .. please rate it if it does !!!
05-16-2006 03:28 AM
Here's an example, the reason I've got two statements for crypto ACL is so that it doesn't cause problems with PDM. AS PDM don't like same statement in two placeS within the configuration.
access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
access-list 100 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
access-list 200 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
access-list 300 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
access-list 400 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
nat (inside) 0 access-list nonat
sysopt connection permit-ipsec
crypto ipsec transform-set TEST esp-3des esp-md5-hmac
crypto map MYMAP 10 ipsec-isakmp
crypto map MYMAP 10 match address 100
crypto map MYMAP 10 set peer x.x.x.x
crypto map MYMAP 10 set transform-set TEST
crypto map MYMAP 20 ipsec-isakmp
crypto map MYMAP 20 match address 200
crypto map MYMAP 20 set peer x.x.x.x
crypto map MYMAP 20 set transform-set TEST
crypto map MYMAP 30 ipsec-isakmp
crypto map MYMAP 30 match address 300
crypto map MYMAP 30 set peer x.x.x.x
crypto map MYMAP 30 set transform-set TEST
crypto map MYMAP 40 ipsec-isakmp
crypto map MYMAP 40 match address 400
crypto map MYMAP 40 set peer x.x.x.x
crypto map MYMAP 40 set transform-set TEST
crypto map MYMAP interface outside
isakmp enable outside
isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255
isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255
isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255
isakmp key xxxxxxxx address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
Hope this helps, please rate post if it does.
Jay
05-16-2006 03:28 AM
please advice what are you trying to achieve ..
05-16-2006 06:50 AM
I was trying to connect multiple VPN clients with dyn-map and a VPN-point-to-point, everthing on the same interface. Thanks all of you for your help.
Regards,
Eduardo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide