Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
20237
Views
10
Helpful
3
Replies

Multiple Crypto Maps on Single Outside Interface

Go to solution
Shaun Michelson
Level 1
Level 1

‎11-07-2013 09:07 AM

Hi, I had the following crypto map configured on my ASA5505 to allow Cisco IPSec VPN clients to connect from the outside:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

I'm trying now to set up an additional crypto map - a static configuration to establish a tunnel with Windows Azure services. The configuration they gave me is:

crypto map azure-crypto-map 10 match address azure-vpn-acl

crypto map azure-crypto-map 10 set peer XXX.XXX.XXX.XXX (obfuscated)

crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set

crypto map azure-crypto-map interface outside

However, when I apply that configuration, my Cisco IPSec clients can no longer connect. I believe my problem is that last line:

crypto map azure-crypto-map interface outside

which blows away my original line:

crypto map outside_map interface outside

It seems I'm stuck with picking just one of the maps to apply to the outside interface. Is there a way to apply both of these maps to the outside interface to allow both IPSec tunnels to be created? We're running ASA version 8.4(7)3.

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-07-2013 09:21 AM

Hi,

You can use the same "crypto map"

Just add

crypto map outside_map 10 match address azure-vpn-acl

crypto map outside_map 10 set peer XXX.XXX.XXX.XXX (obfuscated)

crypto map outside_map 10 set transform-set azure-ipsec-proposal-set

Your dynamic VPN Clients will continue to work just fine as their "crypto map" statements are with the lowest priority/order in the "crypto map" configurations (65535) and the L2L VPN is higher (10)

And what I mean with the above is that when a L2L VPN connections is formed from the remote end it will naturally match the L2L VPN configurations you have with "crypto map" configurations using the number "10". Then when a VPN Client connects it will naturally not match the number "10" specific configurations and will move to the next entry and will match it (65535)

If you would happen to configure a new L2L VPN connection then you could give it the number "11" for example and everything would still be fine.

Hope this helps

- Jouni

View solution in original post

3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-07-2013 09:21 AM

Hi,

You can use the same "crypto map"

Just add

crypto map outside_map 10 match address azure-vpn-acl

crypto map outside_map 10 set peer XXX.XXX.XXX.XXX (obfuscated)

crypto map outside_map 10 set transform-set azure-ipsec-proposal-set

Your dynamic VPN Clients will continue to work just fine as their "crypto map" statements are with the lowest priority/order in the "crypto map" configurations (65535) and the L2L VPN is higher (10)

And what I mean with the above is that when a L2L VPN connections is formed from the remote end it will naturally match the L2L VPN configurations you have with "crypto map" configurations using the number "10". Then when a VPN Client connects it will naturally not match the number "10" specific configurations and will move to the next entry and will match it (65535)

If you would happen to configure a new L2L VPN connection then you could give it the number "11" for example and everything would still be fine.

Hope this helps

- Jouni

Go to solution
Shaun Michelson
Level 1
Level 1
In response to Jouni Forss

‎11-07-2013 10:53 AM

Genius! I'm up and running, thanks a bunch.

0 Helpful

Go to solution
ysantizo1
Level 1
Level 1
In response to Jouni Forss

‎05-11-2016 09:53 AM

Hi

I need to add a vpn site to the config of an ASA 5505 version 8.2(5)

I have working this vpn

crypto ipsec transform-set SET1 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000
crypto map map1 20 match address site1l2l
crypto map map1 20 set peer x1.x1.x1.x1
crypto map map1 20 set transform-set SET1
crypto map map1 interface outside

crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800

tunnel-group x1.x1.x1.x1 type ipsec-l2l
tunnel-group x1.x1.x1.x1 ipsec-attributes
pre-shared-key *****

But when I add the config for the other site

crypto ipsec transform-set SET2 esp-3des esp-md5-hmac

crypto map map2 30 match address site2l2l
crypto map map2 30 set peer x2.x2.x2.x2
crypto map map2 30 set transform-set SET2

crypto map map2 interface outside

crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

tunnel-group x2.x2.x2.x2 type ipsec-l2l
tunnel-group x2.x2.x2.x2 ipsec-attributes
pre-shared-key *****

This line: crypto map map2 interface outside

Overrides this one: crypto map map1 interface outside

The same that happens to Shaun.

I know that it's because there can be only one crypto map applied to an interface. The thing is that I don't have any dynamic map created and I'm not sure how to arrange the crypto maps to make it work.

My question is how can I use the dynamic map to make both sites work normally?

Thanks in advance!

Best regards.

0 Helpful
Customers Also Viewed These Support Documents