cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
708
Views
0
Helpful
4
Replies

how to configure multiplex vpn connections

unidadso
Spotlight
Spotlight

i want to present a case as soon as I add another connection vpn my doubt is if I have to apply the crypto map on the same interface or what should be done I want to clarify that I already have connection with one of the vpn in operation but when adding the other it generates this error

 

ciscuso(config)#interface gigabitEthernet 0/0/0
ciscuso(config-if)#crypto map MAP
ciscuso(config-if)

 

the gigabitEthernet 0/0/0 interface has the crypto map CMAP works correctly but when configuring crypto map MAP on the same interface the good one stops working
 

 

 

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXX address 181.52.XX.XX
crypto isakmp key XXX address 181.62.XX.XX
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS-VPN esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 181.52.XX.XX
set security-association lifetime seconds 86400
set transform-set TS-VPN
set pfs group2
match address VPN

crypto map CMAP 11 ipsec-isakmp
set peer 181.62.XX.XX
set security-association lifetime seconds 86400
set transform-set TS
set pfs group2
match address PAL
!
!

interface GigabitEthernet0/0/0
description WAN
ip address 181.143.XX.XX 255.255.255.XX
ip nat outside
negotiation auto
crypto map CMAP
!
interface GigabitEthernet0/0/1
description LAN-13
ip address 192.168.XX.XX 255.255.255.0
ip nat inside
negotiation auto
!

!
ip nat inside source list 113 interface GigabitEthernet0/0/0 overload
ip nat inside source list 114 interface GigabitEthernet0/0/0 overload

ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 181.143.XX.XX
ip ssh time-out 30
ip ssh version 2
!
!
ip access-list extended PAL
permit ip 192.168.13.0 0.0.0.255 192.168.6.0 0.0.0.255
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
!
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 114 deny ip 192.168.13.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 113 permit ip 192.168.13.0 0.0.0.255

access-list 114 permit ip 192.168.13.0 0.0.0.255

1 Accepted Solution

Accepted Solutions

I have been able to solve the case
what I did was create a different acl in this case (PAL) and delete the access lists without denying me traffic really changes the environment when it comes to multiplex connections

crypto map CMAP 11 ipsec-isakmp
set peer 181.62.252.xx
set security-association lifetime seconds 86400
set transform-set TS-VPN
set pfs group2
match address PAL

ip access-list extended PAL
permit ip 192.168.13.0 0.0.0.255 192.168.X.X 0.0.0.255
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.X.X 0.0.0.255
!

!

View solution in original post

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

as per your crypto config it was CMAP, but under iterface you using MAP.

 

make necessary changes and test.

 

below thread will give information to solve your case.

 

https://community.cisco.com/t5/vpn-and-anyconnect/multiple-crypto-maps-on-single-outside-interface/td-p/2373092

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I have changed the configuration but I do not know what the fault is thanks for the link you sent me but I honestly do not understand the structure

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Cali1 address 181.52.244.xx
crypto isakmp key Usoca876 address 181.62.252.xx
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS-VPN esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 181.52.244.xx
set security-association lifetime seconds 86400
set transform-set TS-VPN
set pfs group2
match address VPN

crypto map CMAP 11 ipsec-isakmp
set peer 181.62.252.xx
set security-association lifetime seconds 86400
set transform-set TS-VPN
set pfs group2
match address VPN

interface GigabitEthernet0/0/0
description WAN
ip address 181.143.239.xx 255.255.255.xx
ip nat outside
negotiation auto
crypto map CMAP
!
interface GigabitEthernet0/0/1
description LAN-13
ip address 192.168.13.1 255.255.255.0
ip nat inside
negotiation auto
!

!
ip nat inside source list 113 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 181.143.239.xx
ip ssh time-out 30
ip ssh version 2
!
!
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 192.168.6.0 0.0.0.255
!
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 113 permit ip 192.168.13.0 0.0.0.255 any
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.6.0 0.0.0.255
!

I have been able to solve the case
what I did was create a different acl in this case (PAL) and delete the access lists without denying me traffic really changes the environment when it comes to multiplex connections

crypto map CMAP 11 ipsec-isakmp
set peer 181.62.252.xx
set security-association lifetime seconds 86400
set transform-set TS-VPN
set pfs group2
match address PAL

ip access-list extended PAL
permit ip 192.168.13.0 0.0.0.255 192.168.X.X 0.0.0.255
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.X.X 0.0.0.255
!

!

Glad it was working as expected, if this resolve mark as solution, so it will be usefull for community members.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: