Solved: Re: how to configure multiplex vpn connections

unidadso · ‎08-23-2019

i want to present a case as soon as I add another connection vpn my doubt is if I have to apply the crypto map on the same interface or what should be done I want to clarify that I already have connection with one of the vpn in operation but when adding the other it generates this error

ciscuso(config)#interface gigabitEthernet 0/0/0
ciscuso(config-if)#crypto map MAP
ciscuso(config-if)

the gigabitEthernet 0/0/0 interface has the crypto map CMAP works correctly but when configuring crypto map MAP on the same interface the good one stops working

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXX address 181.52.XX.XX
crypto isakmp key XXX address 181.62.XX.XX
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS-VPN esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 181.52.XX.XX
set security-association lifetime seconds 86400
set transform-set TS-VPN
set pfs group2
match address VPN

crypto map CMAP 11 ipsec-isakmp
set peer 181.62.XX.XX
set security-association lifetime seconds 86400
set transform-set TS
set pfs group2
match address PAL
!
!

interface GigabitEthernet0/0/0
description WAN
ip address 181.143.XX.XX 255.255.255.XX
ip nat outside
negotiation auto
crypto map CMAP
!
interface GigabitEthernet0/0/1
description LAN-13
ip address 192.168.XX.XX 255.255.255.0
ip nat inside
negotiation auto
!

!
ip nat inside source list 113 interface GigabitEthernet0/0/0 overload
ip nat inside source list 114 interface GigabitEthernet0/0/0 overload

ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 181.143.XX.XX
ip ssh time-out 30
ip ssh version 2
!
!
ip access-list extended PAL
permit ip 192.168.13.0 0.0.0.255 192.168.6.0 0.0.0.255
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
!
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 114 deny ip 192.168.13.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 113 permit ip 192.168.13.0 0.0.0.255

access-list 114 permit ip 192.168.13.0 0.0.0.255

unidadso · ‎08-23-2019

I have been able to solve the case
what I did was create a different acl in this case (PAL) and delete the access lists without denying me traffic really changes the environment when it comes to multiplex connections

crypto map CMAP 11 ipsec-isakmp
set peer 181.62.252.xx
set security-association lifetime seconds 86400
set transform-set TS-VPN
set pfs group2
match address PAL

ip access-list extended PAL
permit ip 192.168.13.0 0.0.0.255 192.168.X.X 0.0.0.255
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.X.X 0.0.0.255
!

!

View solution in original post

balaji.bandi · ‎08-23-2019

as per your crypto config it was CMAP, but under iterface you using MAP.

make necessary changes and test.

below thread will give information to solve your case.

https://community.cisco.com/t5/vpn-and-anyconnect/multiple-crypto-maps-on-single-outside-interface/td-p/2373092

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

unidadso · ‎08-23-2019

I have changed the configuration but I do not know what the fault is thanks for the link you sent me but I honestly do not understand the structure

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Cali1 address 181.52.244.xx
crypto isakmp key Usoca876 address 181.62.252.xx
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS-VPN esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 181.52.244.xx
set security-association lifetime seconds 86400
set transform-set TS-VPN
set pfs group2
match address VPN

crypto map CMAP 11 ipsec-isakmp
set peer 181.62.252.xx
set security-association lifetime seconds 86400
set transform-set TS-VPN
set pfs group2
match address VPN

interface GigabitEthernet0/0/0
description WAN
ip address 181.143.239.xx 255.255.255.xx
ip nat outside
negotiation auto
crypto map CMAP
!
interface GigabitEthernet0/0/1
description LAN-13
ip address 192.168.13.1 255.255.255.0
ip nat inside
negotiation auto
!

!
ip nat inside source list 113 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 181.143.239.xx
ip ssh time-out 30
ip ssh version 2
!
!
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 192.168.6.0 0.0.0.255
!
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 113 permit ip 192.168.13.0 0.0.0.255 any
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.6.0 0.0.0.255
!

unidadso · ‎08-23-2019

I have been able to solve the case
what I did was create a different acl in this case (PAL) and delete the access lists without denying me traffic really changes the environment when it comes to multiplex connections

crypto map CMAP 11 ipsec-isakmp
set peer 181.62.252.xx
set security-association lifetime seconds 86400
set transform-set TS-VPN
set pfs group2
match address PAL

ip access-list extended PAL
permit ip 192.168.13.0 0.0.0.255 192.168.X.X 0.0.0.255
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.X.X 0.0.0.255
!

!

balaji.bandi · ‎08-24-2019

Glad it was working as expected, if this resolve mark as solution, so it will be usefull for community members.

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help