ASA IPSEC config

mistryj · ‎11-22-2012

Hello ASA Gurus,

I have an ASA 5525 and need to configure site to site ipsec vpn to 3 peers. I currently have an existing /28 public address from my ISP that is used by other services.

Is there a way to use this existing ip range to configure IPSEC tunnels to 3 peers ?

ajay chauhan · ‎11-22-2012

are you using these public IP range on inside interface (LAN) ?

Even if thats the case you can configure 3 VPN peer those will be using three diffrent ACLs.

Lets says your side A- 200..x.x.x/28

B- 10.x.x.x/24

C- 20.x.x.x/24

D-30.x.x.x/24

Everytime for new peer the new ACL would be used with fixed source subnet and destination will be changed along with peer IP address.

Thanks

Ajay

mistryj · ‎11-22-2012

Hi,

No this will be an outside interface , ideally want to create point to multi-point tunnels.

ajay chauhan · ‎11-22-2012

There should not be any issue you just need to have diffrent acl/crypto policy/peer ips.

mistryj · ‎11-22-2012

Hi,

Yes I am trying to apply 2 crypto maps to outside interface but can only see entry for one ?

The ASA 5525 has a different command set compared to ASA 5505

Any ideas ?

ajay chauhan · ‎11-22-2012

Paste full config here .

mistryj · ‎11-22-2012

I have attached a test config.

The commands are slightly different on ASA 5525.

I am struggling to find a way to add 2 peers to the outside interface both Map-B and Map-P.

interface GigabitEthernet0/0
description Peering Clients
nameif outside
security-level 0
ip address A.A.A.A 255.255.255.240
!
interface GigabitEthernet0/1
description LAN - Production
nameif inside
security-level 100
ip address x.x.x.x 255.255.255.0

access-list S-VPN-ACL extended permit ip 10.10.0.0 255.255.0.0 172.10.0.0 255.255.0.0
access-list S-VPN-ACL extended permit ip 10.10.0.0 255.255.0.0 172.20.0.0 255.255.0.0

crypto ipsec ikev1 transform-set S-P esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set S-B esp-3des esp-sha-hmac
crypto map Map-B 10 match address S-VPN-ACL
crypto map Map-B 10 set peer C.C.C.C
crypto map Map-P 20 match address S-VPN-ACL
crypto map Map-P 20 set peer D.D.D.D

crypto map Map-B interface outside

crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 14400

ajay chauhan · ‎11-23-2012

You can only apply one MAP on outside interface.You config should look like this.

we do not change the crypto map name its just sequnce number needs to be changed.

crypto map Map-B 10 match address S-VPN-ACL

crypto map Map-B 10 set peer C.C.C.C

crypto map Map-B 20 match address S-VPN-ACL

crypto map Map-B 20 set peer D.D.D.D

.........

crypto map Map-N N set peer D.D.D.D

Hope this help.

mistryj · ‎11-23-2012

I see , but if I have 2 tunnels how do I failover routes.

On my original router configuration I was using IP SLA.

If one tunnel is primary and other backup going via same interface ?

ajay chauhan · ‎11-23-2012

Please follow setps given in link below -

https://supportforums.cisco.com/community/netpro/security/vpn/blog/2011/04/25/ipsec-vpn-redundancy-failover-over-redundant-isp-links

This will help you to achive what you are looking for .

Thanks

Ajay

mistryj · ‎11-23-2012

Thank you !