12-04-2018 02:40 PM
What are crypto map sequence numbers for? What is their purpose and reason for being?
Solved! Go to Solution.
12-05-2018 08:49 AM
12-04-2018 02:53 PM - edited 12-04-2018 02:55 PM
allows you to create multiple vpn tunnels from your asa, see example below:
sequence number 5 is for site a & sequence number 10 is for site b
crypto map vpnmap 5 match address outside_cryptomap_2
crypto map vpnmap 5 set peer IP-ADD-1
crypto map vpnmap 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map vpnmap 5 set security-association lifetime seconds 3600
crypto map vpnmap 5 set security-association lifetime kilobytes 102400000
crypto map vpnmap 10 match address outside_cryptomap_7
crypto map vpnmap 10 set peer IP-ADD-2
crypto map vpnmap 10 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map vpnmap 10 set security-association lifetime kilobytes unlimited
crypto map vpnmap 15 match address outside_cryptomap_12
please accept as solution if it was so :)
regards, mk
12-04-2018 02:55 PM
Crypto map sequence numbers just have a local significance to the VPN headend. Helps you order the VPN connection entries as per your requirements. Crypto map entries are sequential, so if you have a smaller and more specific crypto proxy, you can technically place it above a broader one in order for both to work:
Crypto map seq 1
Local proxy: 10.0.0.0/24
Remote proxy:192.168.1.0/24
Crypto map seq 2
Local proxy: 10.0.0.0/24
Remote proxy:192.168.0.0/16
In this case, everything going to 192.168.1.0/24 goes through peer 1 while everything in 192.168.0.0/16 except 192.168.1.0/24 goes to peer 2. If the order was reversed, only peer 2 would work.
12-05-2018 08:31 AM
I need more clarity on how the sequence numbers work.
For example, if you have 2 crypto maps on a device that have the same crypto map name, but different sequence numbers, how would that work, say versus 2 crypto maps on the device with different crypto map names, but different sequence numbers, or as a third case, 2 crypto map names on a device with different crypto map names and the same sequence numbers.
12-05-2018 08:49 AM
12-05-2018 02:23 PM
you can have only 1 crypto map applied to 1 interface - so in my previous config - the single crypto map is called vpnmap - now i can use different sequence numbers to configure multiple vpn tunnels - where each sequence number corresponds to config for a specific vpn endpoint
if i had another outside interface - i could also use that for s2s vpns but now i would have to give that crypto map a different name - eg. vpnmap2 - then as before, use sequence numbers to configure different vpns
hope that helps
regards, mk
12-04-2018 02:56 PM
just for completeness, add to outside interface:
crypto map vpnmap interface outside
regards, mk
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: