L2L on separate interfaces

Cybervex3 · ‎02-20-2013

Is it possible to have different crypto maps on different interfaces? We have 2 ISPs. I am not looking to do failover just have each of our 2 branch offices connect on separate interfaces.

5510 with Sec+ E0/0 10Mb, E0/3 10Mb

Each branch has 5505 with 10Mb

currently both branches have working tunnels to e0/3 on the 5510

Anyone have a link to setting this up? I seem to onl find info on setting it up for failover. Thought I would ask before editing and posting my asa configs.

I can post the configs if needed.

jawad-mukhtar · ‎02-20-2013

Yes u can have

But u will have to u se static route for other vpn because your all traffic is going out by your default route to your first ISP.

*** Do Rate Helpful Posts ***

Jawad

Cybervex3 · ‎02-21-2013

I was able to get the tunnel up by adding the route, tunnel-group, and new crypto map on 2nd interface. I was not able to connect to anything at the branch from the main ASA5510. I was able to connect as normal from the branch office to the main office over the new tunnel.

In the Main Office config "crypto map backup_map 30" was "crypto map outside_map 30"

Main Office ASA5510

ASA Version 8.2(5)

!

hostname ciscoasa

domain-name xxx.local

names

name 1.1.1.107 Sonoma description OLD MAIL SERVER

name 10.10.2.6 DAYTONA-INT

name 10.10.2.62 SEBRING-INT

name 10.10.2.4 AUTHENTICA-INT

name 10.10.2.11 MIDOHIO-INT

name 10.10.2.15 PMEUPDATE-INT

name 10.10.2.25 FILETRANSFER-INT

name 10.10.2.22 FTP-INT

name 10.10.2.1 HOMESTEAD-INT

name 1.1.1.102 DAYTONA-EXT-OUT description CAS Server

name 1.1.1.109 FILETRANSFER-EXT-OUT description Secure File Transfer

name 1.1.1.105 FTP-EXT-OUT description FTPS

name 1.1.1.103 AUTHENTICA-EXT-OUT description Secure PDF

name 1.1.1.106 OSCODA-EXT-OUT description SQL Testing

name 1.1.1.104 ALEXSYS123-EXT-OUT description MidOhio

name 1.1.1.108 PMEUPDATE-EXT-OUT description NC Update server

name 1.1.1.110 CRASHPLAN-EXT-OUT description CrashPlan backup server

name 3.3.3.17 CV-WC

name 12.218.107.2 KINCEY-NC

name 10.10.2.34 CRASHPLAN-INT

name 2.2.2.196 DAYTONA-EXT-BAK

name 2.2.2.197 OneXPortal1-EXT-OUT description External IP for OneXPortal/NH-VM

name 10.10.2.41 OneXPortal1-INT description Internal IP for OneXPortal/NH-VM

!

interface Ethernet0/0

nameif backup

security-level 1

ip address 2.2.2.194 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.9.1.1 255.255.0.0

!

interface Ethernet0/2

shutdown

nameif test

security-level 10

ip address 172.16.10.1 255.255.255.0

!

interface Ethernet0/3

nameif outside

security-level 0

ip address 1.1.1.98 255.255.255.224

!

interface Management0/0

nameif management

security-level 100

ip address 172.17.0.199 255.255.255.0

management-only

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns domain-lookup management

dns server-group DefaultDNS

name-server HOMESTEAD-INT

domain-name xxx.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service SQLTEST udp

description SQLTEST for VES

port-object eq 1434

object-group service SQLTEST_TCP tcp

description SQLTEST For VES

port-object eq 1433

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq ftp-data

object-group service crashplan-4282 tcp

port-object eq 4282

object-group service OneXPortal tcp

description Open ports for OneXPortal

port-object eq 5222

port-object eq 8444

access-list nonat extended permit ip any 10.9.11.0 255.255.255.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.9.11.0 255.255.255.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.101.0 255.255.255.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.100.0.0 255.255.0.0

access-list nonat extended permit ip host 1.1.1.98 10.100.0.0 255.255.0.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0

access-list nonat extended permit ip 10.20.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list nonat extended permit ip any 10.20.11.0 255.255.255.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.21.0.0 255.255.0.0

access-list nonat extended permit ip 10.21.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list nonat extended permit ip 10.9.11.0 255.255.255.0 10.20.0.0 255.255.0.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.22.0.0 255.255.0.0

access-list nonat extended permit ip 10.12.0.0 255.255.0.0 10.22.0.0 255.255.0.0

access-list nonat extended permit ip 10.12.0.0 255.255.0.0 10.20.0.0 255.255.0.0

access-list nonat extended permit ip host 2.2.2.194 10.100.0.0 255.255.0.0

access-list outside_access_in extended permit tcp any host OneXPortal1-EXT-OUT object-group OneXPortal

access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq smtp

access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq https

access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq www

access-list outside_access_in extended permit icmp host 10.100.0.1 any inactive

access-list outside_access_in extended permit icmp any any inactive

access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0

access-list Split_Tunnel_List standard permit 192.168.101.0 255.255.255.0

access-list Split_Tunnel_List standard permit 10.20.0.0 255.255.0.0

access-list Split_Tunnel_List standard permit 10.100.0.0 255.255.0.0

access-list Split_Tunnel_List standard permit 10.9.0.0 255.255.0.0

access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq smtp

access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq https

access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq www

access-list outside_access_in_1 extended permit tcp any host PMEUPDATE-EXT-OUT eq www

access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq www

access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq ssh inactive

access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq https

access-list outside_access_in_1 remark FTPS

access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT object-group DM_INLINE_TCP_1

access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT range 60200 60400

access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq www

access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq https

access-list outside_access_in_1 extended permit tcp any host OSCODA-EXT-OUT object-group SQLTEST_TCP inactive

access-list outside_access_in_1 extended permit udp any host OSCODA-EXT-OUT object-group SQLTEST inactive

access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq www

access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq https

access-list outside_access_in_1 extended permit tcp any host CRASHPLAN-EXT-OUT object-group crashplan-4282

access-list outside_access_in_1 extended deny icmp any any

access-list outside_access_in_1 extended permit icmp host 10.100.0.1 any inactive

access-list inside_access_out remark ******

access-list inside_access_out extended permit ip any any log

access-list CV-WC_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.100.0.0 255.255.0.0

access-list CV-WC_CRYPTO extended permit ip 10.9.0.0 255.255.0.0 10.100.0.0 255.255.0.0

access-list KINCEY_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0

access-list KINCEY_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.21.0.0 255.255.0.0

access-list KINCEY_CRYPTO extended permit ip 10.9.0.0 255.255.0.0 10.20.0.0 255.255.0.0

access-list KINCEY_CRYPTO extended permit ip 10.10.0.0 255.255.0.0 10.22.0.0 255.255.0.0

access-list KINCEY_CRYPTO extended permit ip 10.12.0.0 255.255.0.0 10.22.0.0 255.255.0.0

access-list tcp-BYPASS extended permit tcp host 172.16.10.2 any

mtu backup 1500

mtu inside 1500

mtu outside 1500

mtu management 1500

ip local pool IPSECVPN2 10.10.11.76-10.10.11.100

ip local pool SSL-VPN 10.9.11.1-10.9.11.100 mask 255.255.0.0

ip local pool IPSECVPN 10.10.11.25-10.10.11.75

ip local pool SSL-VPN-BU 10.9.11.101-10.9.11.200 mask 255.255.0.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-623.bin

no asdm history enable

arp timeout 14400

global (backup) 1 2.2.2.195

global (outside) 1 1.1.1.99 netmask 255.255.255.224

nat (inside) 0 access-list nonat

nat (inside) 1 10.10.0.0 255.255.0.0

nat (inside) 1 10.11.0.0 255.255.0.0

nat (inside) 1 10.12.0.0 255.255.0.0

static (inside,outside) DAYTONA-EXT-OUT DAYTONA-INT netmask 255.255.255.255

static (inside,outside) AUTHENTICA-EXT-OUT AUTHENTICA-INT netmask 255.255.255.255

static (inside,outside) ALEXSYS123-EXT-OUT MIDOHIO-INT netmask 255.255.255.255

static (inside,outside) PMEUPDATE-EXT-OUT PMEUPDATE-INT netmask 255.255.255.255

static (inside,outside) FILETRANSFER-EXT-OUT FILETRANSFER-INT netmask 255.255.255.255

static (inside,outside) FTP-EXT-OUT FTP-INT netmask 255.255.255.255

static (inside,backup) OneXPortal1-EXT-OUT OneXPortal1-INT netmask 255.255.255.255

static (inside,backup) DAYTONA-EXT-BAK DAYTONA-INT netmask 255.255.255.255

static (inside,outside) CRASHPLAN-EXT-OUT CRASHPLAN-INT netmask 255.255.255.255

access-group outside_access_in in interface backup

access-group inside_access_out in interface inside

access-group outside_access_in_1 in interface outside

route outside 0.0.0.0 0.0.0.0 1.1.1.97 1

route backup 0.0.0.0 0.0.0.0 2.2.2.193 254

route inside 10.8.0.0 255.255.0.0 10.10.1.1 1

route inside 10.10.0.0 255.255.0.0 10.10.1.1 1

route inside 10.11.0.0 255.255.0.0 10.10.1.1 1

route inside 10.12.0.0 255.255.0.0 10.10.1.1 1

route backup 3.3.3.15 255.255.255.255 2.2.2.193 1

route backup 3.3.3.17 255.255.255.255 2.2.2.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-reco

rd DfltAccessPolicy

webvpn

http-proxy enable

aaa-server PMERADIUS protocol radius

aaa-server PMERADIUS (inside) host HOMESTEAD-INT

key *****

radius-common-pw *****

aaa authentication ssh console LOCAL

http server enable

http 10.10.0.0 255.255.0.0 inside

http 172.17.0.0 255.255.255.0 management

http redirect backup 80

http redirect outside 80

crypto ipsec transform-set PM1 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set 50 esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ipsec df-bit clear-df backup

crypto ipsec df-bit clear-df outside

crypto dynamic-map dyn1 1 set pfs group1

crypto dynamic-map dyn1 1 set transform-set PM1

crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800

crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set reverse-route

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map cryptomap1 1 ipsec-isakmp dynamic dyn1

crypto map outside_map 20 match address KINCEY_CRYPTO

crypto map outside_map 20 set peer KINCEY-NC

crypto map outside_map 20 set transform-set PM1

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map backup_map 30 match address CV-WC_CRYPTO

crypto map backup_map 30 set peer 3.3.3.17

crypto map backup_map 30 set transform-set PM1

crypto map backup_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map backup_map interface backup

crypto ca trustpoint vpn.xxx.com

enrollment terminal

fqdn vpn.xxx.com

subject-name CN=vpn.xxx.com, O=xxx, C=US, St=xx, L=xx

keypair vpn.xxx.com

crl configure

crypto ca certificate chain vpn.xxx.com

certificate 041200616c79f4

quit

crypto isakmp identity address

crypto isakmp enable backup

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 33

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

ssh version 2

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server HOMESTEAD-INT source inside prefer

ssl trust-point vpn.xxx.com outside

ssl trust-point vpn.xxx.com backup

ssl trust-point vpn.xxx.com test

webvpn

enable backup

enable outside

svc image disk0:/anyconnect-win-2.5.

3055-k9.pk

g 2

svc image disk0:/anyconnect-win-2.5.

2014-k9.pk

g 3

svc image disk0:/anyconnect-macosx-i

386-2.5.60

05-k9.pkg 4

svc image disk0:/anyconnect-win-3.1.

01065-k9.p

kg 5

svc profiles AllowRemoteUsers disk0:/AnyConnectProfile20

121003.xml

svc enable

internal-password enable

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 10.10.2.1

vpn-tunnel-protocol IPSec l2tp-ipsec

default-domain none

group-policy DfltGrpPolicy attributes

dns-server value 10.10.2.1 10.10.2.62

vpn-idle-timeout 600

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

default-domain value xxx.local

webvpn

url-list value Book1

svc profiles value AllowRemoteUsers

svc ask enable default webvpn timeout 10

group-policy AnyConnect internal

group-policy AnyConnect attributes

vpn-tunnel-protocol webvpn

webvpn

svc ask enable default webvpn timeout 15

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup general-attributes

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool (backup) SSL-VPN-BU

address-pool (outside) SSL-VPN

address-pool SSL-VPN

authentication-server-grou

p PMERADIUS

tunnel-group pm_ipsec type remote-access

tunnel-group pm_ipsec general-attributes

address-pool IPSECVPN2

tunnel-group pm_ipsec ipsec-attributes

pre-shared-key *****

tunnel-group xxx type remote-access

tunnel-group xxx general-attributes

address-pool IPSECVPN

tunnel-group xxx ipsec-attributes

pre-shared-key *****

tunnel-group 207.148.209.20 type ipsec-l2l

tunnel-group 207.148.209.20 ipsec-attributes

pre-shared-key *****

tunnel-group 3.3.3.17 type ipsec-l2l

tunnel-group 3.3.3.17 ipsec-attributes

pre-shared-key *****

tunnel-group 12.218.107.2 type ipsec-l2l

tunnel-group 12.218.107.2 ipsec-attributes

pre-shared-key *****

!

class-map tcp-BYPASS

match access-list tcp-BYPASS

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 1024

policy-map global_policy

class inspection_default

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

inspect icmp

inspect ip-options

class class-default

!

service-policy global_policy global

smtp-server 10.10.2.6

prompt hostname context

Cryptochecksum:fd773e12ead

6414bd14e1

0cd3b7324f

0

: end

**************************

**********

*******

**************************

**********

*******

Branch office

hostname CV-WC

domain-name xxx.local

names

name 10.10.0.0 NH-LAN

name 10.10.2.1 HOMESTEAD

name 2.2.2.194 NH

!

interface Ethernet0/0

description CV-WC *WAN* (Physical Interface)

switchport access vlan 2

!

interface Ethernet0/1

description CV-WC *LAN* (Physical Interface)

!

interface Ethernet0/2

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

description CV-WC *LAN* Interface

nameif inside

security-level 100

ip address 10.100.0.1 255.255.0.0

!

interface Vlan2

description CV-WC *WAN* Interface

nameif outside

security-level 0

ip address 3.3.3.17 255.255.255.0

!

ftp mode passive

clock timezone MST -5

clock summer-time MST recurring

dns server-group DefaultDNS

domain-name xxx.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_out_outside extended permit ip any any

access-list outside_in_inside extended permit icmp any any

access-list CV-Split-Tunnel standard permit 10.100.0.0 255.255.0.0

access-list CV-Split-Tunnel standard permit NH-LAN 255.255.0.0

access-list CV-Split-Tunnel standard permit 10.20.0.0 255.255.0.0

access-list INSIDE_NAT0_OUTBOUND extended permit ip 10.100.0.0 255.255.0.0 NH-LAN 255.255.0.0

access-list INSIDE_NAT0_OUTBOUND extended permit ip any 10.100.0.0 255.255.0.0

access-list OUTSIDE_1_CRYPTO extended permit ip 10.100.0.0 255.255.0.0 NH-LAN 255.255.0.0

access-list WKSMITH_CRYPTO extended permit ip 10.100.0.0 255.255.0.0 NH-LAN 255.255.0.0

pager lines 24

logging enable

logging monitor warnings

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool GENERAL-WC-SSL 10.100.0.101-10.100.0.120 mask 255.255.0.0

ip local pool CV-WC-VPNPOOL 10.100.0.10-10.100.0.60 mask 255.255.0.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list INSIDE_NAT0_OUTBOUND

nat (inside) 1 10.100.0.0 255.255.0.0

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_out_outside in interface inside

access-group outside_in_inside in interface outside

route outside 0.0.0.0 0.0.0.0 3.3.3.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-reco

rd DfltAccessPolicy

aaa-server PMERADIUS protocol radius

aaa-server PMERADIUS (inside) host HOMESTEAD

key *****

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.100.0.0 255.255.0.0 inside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set 50 esp-aes-256 esp-sha-hmac

crypto ipsec transform-set RTPSET esp-aes esp-sha-hmac