Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14960
Views
5
Helpful
6
Replies

Configuring multiple peer IPs for Site-to-Site VPN on a Firewall Context

Go to solution
Hassan Mwangi
Level 1
Level 1

‎09-16-2014 11:51 PM

I am running a Cisco 5585 ASA Firewall version 9.1. I am running the context mode to cater for my different cloud customers. I have a new customer who needs a Site-to-Site VPN to a remote location. The remote location have three peers IPs configured in fail-over mode which i need to configure on my end.

Please advise if in this is possible and how to go about the configuration.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to Walter Astori

‎09-17-2014 03:04 AM

You could do that, but then you would need a crypto map for each peer matching also the crypto ACL and transform set.  With a dynamic vpn you only need to configure it once.

But of course if you enter all 3 manually you have more controll of what VPNs you have set up...just more work.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Go to solution
Marius Gunnerud
VIP
VIP
In response to Hassan Mwangi

‎09-17-2014 03:17 AM

A context is just like any stand-alone firewall, just virtualized. I have done it and it worked fine for me.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marius Gunnerud
VIP
VIP

‎09-17-2014 02:27 AM

You could set up the ASA with a dynamic crypto map.  That way the ASA will accept VPN connections from dynamically assigned IPs on the remote host, so long as all other parameters match up the vpn will be established.

Have a look at this link for the configuration:

https://www.fir3net.com/Firewalls/Cisco/how-to-configure-a-cisco-asa-site-to-site-vpn-between-a-static-and-dynamic-ip-based-peers.html

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Hassan Mwangi
Level 1
Level 1
In response to Marius Gunnerud

‎09-17-2014 03:13 AM

Hi Marius,

This is possible and have done it in a router or an ASA without the context. You are able to create the different crypto maps for each of the failover peers.

But how about in a context firewall? Anyone who has done it and has worked?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Hassan Mwangi

‎09-17-2014 03:17 AM

A context is just like any stand-alone firewall, just virtualized. I have done it and it worked fine for me.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Hassan Mwangi
Level 1
Level 1
In response to Marius Gunnerud

‎11-27-2014 01:28 AM

The above is correct. The firewall context is the same as the non-context firewall and below is a sample congifuration that worked for me.

# set peer XXX.XXX.XXX.145 XXX.XXX.XXX.156 XXX.XXX.XXX.29

# tunnel-group XXX.XXX.XXX.145 type ipsec-l2l

# tunnel-group XXX.XXX.XXX.145 ipsec-attributes

(config-tunnel-ipsec)# pre-shared-key ***********

# tunnel-group XXX.XXX.XXX.156 type ipsec-l2l

# tunnel-group XXX.XXX.XXX.156 ipsec-attributes

(config-tunnel-ipsec)# pre-shared-key ***********

# tunnel-group XXX.XXX.XXX.29 type ipsec-l2l

# tunnel-group XXX.XXX.XXX.29 ipsec-attributes

(config-tunnel-ipsec)# pre-shared-key **********

0 Helpful

Go to solution
Walter Astori
Level 1
Level 1

‎09-17-2014 02:45 AM

I think that you must specify multiple peers with the command :

crypto map 15 outiside_map 15 set peer XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY ZZZ.ZZZ.ZZZ.ZZZ

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Walter Astori

‎09-17-2014 03:04 AM

You could do that, but then you would need a crypto map for each peer matching also the crypto ACL and transform set.  With a dynamic vpn you only need to configure it once.

But of course if you enter all 3 manually you have more controll of what VPNs you have set up...just more work.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents