Solved: Re: Dual Site to Site VPN Questionary

Pyie Phyo Htay · ‎07-10-2023

Dear Teams,

Please kindly suggests to me about the VPN

How can I configure with single Public IP address for two site to site VPN configuration in ASA firewall, I try to setup VPN connection with azure region A and tunnel is connect with that region, then I setup another VPN connection to azure with different region the tunnel is not connected, It's possible to config two site to site VPN with single public IP address?

Could you please someone guide to me for that?

Many Thanks,

Pyie Phyo Htay.

MHM Cisco World · ‎07-10-2023

access-list AZURE-VPN-ACL-A extended permit ip object-group DEV-NET-SOURCE object-group AZURE-NET-DESTINATION (site A)

access-list AZURE-VPN-ACL-B extended permit ip object-group DEV-NET-SOURCE object-group AZURE-AIRLINE-DESTINATION (site B)

crypto map outside_map 1 match address AZURE-VPN-ACL-A
crypto map outside_map 2 match address AZURE-VPN-ACL-B

do these change,
then clear crypto isakmp and clear crypto ipsec sa
after that check again.
it will work

View solution in original post

MHM Cisco World · ‎07-10-2023

Yes, you was wrong
the ACL for each Site must be config with different name and use then with crypto map.
you are so welcome friend
have a nice day
MHM

View solution in original post

MHM Cisco World · ‎07-10-2023

Sure you can
crypto map IPSEC10 set peer x.x.x.x
crypto map IPSEC 20 set peer y.y.y.y\

one crypto map IPSEC and two seq
seq 10 for peer x.x.x.x
seq 20 for peer y.y.y.y

Pyie Phyo Htay · ‎07-10-2023

Yes, set for the Site A

crypto map azure_map 1 set peer x.x.x.x

and Site B

crypto map azure_map 2 set peer x.x.x.x

but only site A had connected

do i need to type

crypto isakmp identity address

MHM Cisco World · ‎07-10-2023

only Site A, check the crypto ACL you use
Site A crypto ACL can conflict with Site B crypto ACL

Pyie Phyo Htay · ‎07-10-2023

Dear MHM bro,

Maybe i might wrong in ACL naming for both site, Please kindly check my config and suggest.

access-list AZURE-VPN-ACL extended permit ip object-group DEV-NET-SOURCE object-group AZURE-NET-DESTINATION (site A)

access-list AZURE-VPN-ACL extended permit ip object-group DEV-NET-SOURCE object-group AZURE-AIRLINE-DESTINATION (site B)

nat (internal,VPN) source static DEV-NET-SOURCE DEV-NET-SOURCE destination static AZURE-NET-DESTINATION AZURE-NET-DESTINATION no-proxy-arp route-lookup (Site A)
nat (internal,VPN) source static DEV-NET-SOURCE DEV-NET-SOURCE destination static AZURE-AIRLINE-DESTINATION AZURE-AIRLINE-DESTINATION no-proxy-arp route-lookup (Site B)

crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 2
prf sha256
lifetime seconds 28800

crypto ipsec ikev2 ipsec-proposal Azure-Ipsec-Tunnel-Site2SiteConnection-A.A.A.A
protocol esp encryption aes-256
protocol esp integrity sha-256

crypto ipsec ikev2 ipsec-proposal Azure-Ipsec-Tunnel-iapi-prod-s2s-B.B.B.B
protocol esp encryption aes-256
protocol esp integrity sha-256

crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite

crypto map outside_map 1 match address AZURE-VPN-ACL
crypto map outside_map 1 set peer A.A.A.A
crypto map outside_map 1 set ikev2 ipsec-proposal Azure-Ipsec-Tunnel-Site2SiteConnection-A.A.A.A
crypto map outside_map 1 set ikev2 pre-shared-key *****
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map 2 match address AZURE-VPN-ACL
crypto map outside_map 2 set peer B.B.B.B
crypto map outside_map 2 set ikev2 ipsec-proposal Azure-Ipsec-Tunnel-iapi-prod-s2s-B.B.B.B
crypto map outside_map 2 set ikev2 pre-shared-key *****
crypto map outside_map 2 set security-association lifetime seconds 3600
crypto map outside_map interface VPN
crypto ikev2 enable VPN

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2

group-policy AzureGroupPolicy2 internal
group-policy AzureGroupPolicy2 attributes
vpn-tunnel-protocol ikev2

group-policy AzureGroupPolicy internal
group-policy AzureGroupPolicy attributes
vpn-tunnel-protocol ikev2

tunnel-group A.A.A.A type ipsec-l2l
tunnel-group A.A.A.A general-attributes
default-group-policy AzureGroupPolicy
tunnel-group A.A.A.A ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

tunnel-group B.B.B.B type ipsec-l2l
tunnel-group B.B.B.B general-attributes
default-group-policy AzureGroupPolicy2
tunnel-group B.B.B.B ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
no tunnel-group-map enable peer-ip
tunnel-group-map default-group B.B.B.B

Thanks a lot.

MHM Cisco World · ‎07-10-2023

access-list AZURE-VPN-ACL-A extended permit ip object-group DEV-NET-SOURCE object-group AZURE-NET-DESTINATION (site A)

access-list AZURE-VPN-ACL-B extended permit ip object-group DEV-NET-SOURCE object-group AZURE-AIRLINE-DESTINATION (site B)

crypto map outside_map 1 match address AZURE-VPN-ACL-A
crypto map outside_map 2 match address AZURE-VPN-ACL-B

do these change,
then clear crypto isakmp and clear crypto ipsec sa
after that check again.
it will work

Pyie Phyo Htay · ‎07-10-2023

Bro,

Kindly Let me clarify with you, as I understanding about the ACL, it's need to bind with the access-group AZURE-VPN-ACL. That's why I'm using the same ACL name. So, I was wrong right?.

Many thanks for your helps.

MHM Cisco World · ‎07-10-2023

Yes, you was wrong
the ACL for each Site must be config with different name and use then with crypto map.
you are so welcome friend
have a nice day
MHM

Pyie Phyo Htay · ‎07-11-2023

Dear MHM,

Thanks for your support!

Today, I have changed the access-list with different name for two site then i type the clear crypto isakmp and clear crypto ipsec sa command the both tunnel status is connected, but the problem is after Frew minutes later site B tunnel is not connected.

Therefore i type the clear crypto isakmp and clear crypto ipsec sa command again, the tunnel is bringing up.

What can be mis-configuration for that ?

Please kindly helps bro.