Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2608
Views
0
Helpful
5
Replies

two tunnels with the same crypto acl

r.spiandorello
Level 1
Level 1

‎12-07-2012 11:58 AM

Hi, a cloud service provider requests to setup two ipsec tunnels with the same crypto access-list, to reach the same network in cloud.

Now I'd like to know waht's the behaviour of ASA with two "similar" crypto map on the same interface and if ASA requests a stateful path or not.

thank you in advance

greatings

renato

Labels:
0 Helpful
5 Replies 5

Karsten Iwen
VIP
VIP

‎12-07-2012 04:09 PM

In this scenario you normally don't use two crypto-map sequences. You just have one sequence with two "set peer" statements. With that you have the redundency to reach the target also if one if the peers fail.


Sent from Cisco Technical Support iPad App

0 Helpful

r.spiandorello
Level 1
Level 1

‎12-10-2012 12:46 PM

yes sure, that was my solution but the cloud services provider requested two tunnels. Can I have problems ?

Sent from Cisco Technical Support iPhone App

0 Helpful

ju_mobile
Level 1
Level 1

‎12-10-2012 02:58 PM

You can define in the cryptomap that it matches the same traffic groups but the peer will be the definitive variation as highlighted. It cannot be the same peer address so from a cli

crypto_map OUTSIDE_MAP1 match address OUTSIDE_CRYPTOMAP
crypto_map OUTSIDE_MAP1 set peer 1.1.1.1
<>
crypto_map OUTSIDE_MAP2 match address OUTSIDE_CRYPTOMAP
crypto_map OUTSIDE_MAP2 set peer 2.2.2.2

Regards

Ju


Sent from Cisco Technical Support iPad App

0 Helpful

r.spiandorello
Level 1
Level 1
In response to ju_mobile

‎12-10-2012 11:32 PM

Ju, that's what I've done, but I'd like to know if ASA apply stateful logic to the two tunnel, in other words if a session packet goes through the first channel, can I have a session packet through the second channel ?

thanks

renato

0 Helpful

ju_mobile
Level 1
Level 1
In response to r.spiandorello

‎12-10-2012 11:56 PM

Hi Renato,

Apologies, I understand what your saying is two tunnels up and running to the same service provider but with two peer addresses. You want to start a session on one tunnel and also send data from the same session down the secondary tunnel, whilst maintining session state.

I guess what your question also needs to raise is how the asymmetrical routing would work with the applications.

would be a great one to lab so sorry not sure enough to offer an answer..

0 Helpful
Customers Also Viewed These Support Documents