Re: ASA5505 2nd Site-to-Site config

ofir · ‎05-27-2009

I have a working Site-to-Site on my ASA5505

I have to configure a 2nd VPN, identical to teh existing VPN (obviously using different IPs & key)

this is the existing VPN config:

access-list SITE1_FIX extended permit ip host 192.168.x.y host A.B.C.D

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set SITE1 esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto dynamic-map outside_dyn_map0 20 set pfs

crypto dynamic-map outside_dyn_map0 20 set transform-set SITE1

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map SITE1VPN 20 match address SITE1_FIX

crypto map SITE1VPN 20 set peer x.y.176.251

crypto map SITE1VPN 20 set transform-set SITE1

crypto map SITE1VPN 65535 ipsec-isakmp dynamic outside_dyn_map0

crypto map SITE1VPN interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group x.y.176.251 type ipsec-l2l

tunnel-group x.y.176.251 ipsec-attributes

pre-shared-key *

for the new VPN for SITE2, can I use the same crypto dynamic-map outside_dyn_map 20 & crypto map SITE1VPN 20 ???

anything to pay extra attention to while configuring it?

Richard Burts · ‎05-27-2009

Ofir

To create a second site to site VPN you will need to configure:

- an access list for them similar to access-list SITE1_FIX but with a different name and address unique to the new site.

- a new instance within crypto map SITE1VPN - perhaps SITE1VPN 30 (you can not use SITE1VPN 20 over again).

- a tunnel-group for the new connection.

Depending on whether they will use the same transform set and isakmp policy you may need to configure new ones of these also.

HTH

Rick

HTH

Rick