Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1898
Views
65
Helpful
14
Replies

Does the ASA Support Multiple IPSec VPNs to the Same IP

Go to solution
fntowo2009
Level 1
Level 1

‎03-07-2022 08:04 AM

Hello,

 

I just configured the commands below on an ASA5508 running 9.5 (1). The remote endpoint doesn't support multiple ACEs in the proxy ACL... 

 

Would that work?

 

Thanks,

Francois

 

access-list test-acl extended permit ip 10.0.0.0 255.255.255.0 any4 

access-list test-acl1 extended permit ip 172.31.0.0 255.255.255.0 any4 

 

crypto map CMAP 20 match address test-acl

crypto map CMAP 20 set peer a.b.c.d 

crypto map CMAP 20 set ikev2 ipsec-proposal test

crypto map CMAP 20 set security-association lifetime seconds 28800

 

crypto map CMAP 30 match address test-acl1

crypto map CMAP 30 set peer a.b.c.d

crypto map CMAP 30 set ikev2 ipsec-proposal test

crypto map CMAP 30 set security-association lifetime seconds 28800

Labels:
4 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to fntowo2009

‎03-07-2022 08:33 AM

@fntowo2009 yes a Juniper SRX would support multiple networks, example:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28197&actp=METADATA

 

If you upgraded to ASA 9.7 or higher you could also implement a route based VPN (VTI) which the SRX also supports.

View solution in original post

Go to solution
MHM Cisco World
VIP
VIP
In response to fntowo2009

‎03-07-2022 01:20 PM

As Mr.Rob suggest VTI can solve issue, 
but can you try config PBR with the ACL LAN->0.0.0.0 use the next-hop VTI ip address.
this make ASA LAN->0.0.0.0 use VTI if the ASA support VTI as next-hop.

View solution in original post

Go to solution
fntowo2009
Level 1
Level 1

‎05-24-2022 10:43 AM

Hello,

Sorry for the delayed feedback! 

 

The work was halted for a while...

 

We implemented this solution as we ran into connectivity issues with one proxy-acl with two ACEs. The engineer managing the SRX created a ticket with JTAC and they recommended going this route.

 

 

View solution in original post

0 Helpful

Go to solution
fntowo2009
Level 1
Level 1
In response to MHM Cisco World

‎05-24-2022 10:45 AM

Thanks for the valuable input!

 

 

View solution in original post

0 Helpful
14 Replies 14

Go to solution
MHM Cisco World
VIP
VIP

‎03-07-2022 08:09 AM - edited ‎03-07-2022 08:12 AM

....

Go to solution
fntowo2009
Level 1
Level 1
In response to MHM Cisco World

‎03-07-2022 08:28 AM

It's a dynamic-to-static IPSec solution as the ASA is on the ship... The Cisco remote end is being replaced with a Juniper SRX4600 and the engineer managing it told me his configuration might not support multiple ACEs in the proxy-ACL...

Go to solution
Rob Ingram
VIP
VIP

‎03-07-2022 08:09 AM

@fntowo2009 If the source IP and destination is the same it would be hard to differentiate the connection.

What device  is the remote peer? I find it hard to believe they do not support multiple entries

 

Go to solution
fntowo2009
Level 1
Level 1
In response to Rob Ingram

‎03-07-2022 08:22 AM

 

Thanks for the prompt feedback Rob! 

 

The remote peer is a Juniper SRX4600 and is managed by a different team. We're trying to implement a dynamic-to-static IPSec VPN solution as the ASA is on a ship...

 

Go to solution
Rob Ingram
VIP
VIP
In response to fntowo2009

‎03-07-2022 08:33 AM

@fntowo2009 yes a Juniper SRX would support multiple networks, example:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28197&actp=METADATA

 

If you upgraded to ASA 9.7 or higher you could also implement a route based VPN (VTI) which the SRX also supports.

Go to solution
fntowo2009
Level 1
Level 1
In response to Rob Ingram

‎03-07-2022 11:59 AM

Thx!  There are other subnets behind the ASA and their traffic Traffic shouldn't be encrypted. A VTI will have a default route pointing to the tunnel... Correct?

Go to solution
Rob Ingram
VIP
VIP
In response to fntowo2009

‎03-07-2022 12:07 PM

@fntowo2009 no incorrect. You only have routes (static or dynamic) via the VTI, to be tunneled to your peer, encrypted.

So unencrypted traffic would still go out your default route.

Go to solution
fntowo2009
Level 1
Level 1
In response to Rob Ingram

‎03-07-2022 12:15 PM

Traffic from two subnets behind the ASA to ANY destinations needs to be encrypted... That's why I said the  default route will point to the tunnel. 

Go to solution
MHM Cisco World
VIP
VIP
In response to fntowo2009

‎03-07-2022 01:20 PM

As Mr.Rob suggest VTI can solve issue, 
but can you try config PBR with the ACL LAN->0.0.0.0 use the next-hop VTI ip address.
this make ASA LAN->0.0.0.0 use VTI if the ASA support VTI as next-hop.

Go to solution
fntowo2009
Level 1
Level 1
In response to MHM Cisco World

‎05-24-2022 10:45 AM

Thanks for the valuable input!

 

 

0 Helpful

Go to solution
fntowo2009
Level 1
Level 1
In response to Rob Ingram

‎05-24-2022 10:47 AM

Thanks for the valuable input!

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎03-07-2022 10:06 AM

KB16008 - Function of a new feature "Multiple Proxy ID support on a Route-Based VPN" (Supported started with ScreenOS 6.3)

Go to solution
fntowo2009
Level 1
Level 1

‎05-24-2022 10:43 AM

Hello,

Sorry for the delayed feedback! 

 

The work was halted for a while...

 

We implemented this solution as we ran into connectivity issues with one proxy-acl with two ACEs. The engineer managing the SRX created a ticket with JTAC and they recommended going this route.

 

 

0 Helpful
Customers Also Viewed These Support Documents