12-07-2011 12:23 PM
I got an ASA5510 and im trying to connect a site to site with a 5505 problem is on the 5510 I have multiple Remote Access VPNs and want to add the STS VPN in im just confirming my config.
id assume i use the same crypto map but create multiple policies and change the prioity? is this the correct way? im assuming if i created a new crypto map it would override it when i attach it to the interface.
any help from the forum would be awesome
thank ahead of time!
Solved! Go to Solution.
12-07-2011 01:00 PM
Hello Jason,
First of all you will need to check if your license support the amount of VPN tunnels you are going to build, being the case that you have a version that supports this scenario here is what you need to know.
Lets say you already have 3 VPNs up and running and you want to add a new crypto map for a new tunnel. The crypto map you have been using and you have applied to the interface is called YYY.
crypto map YYY 1 match address xxxxx
crypto map YYY 1 set peer xx
crypto map YYY 1 set ikev1 transform-set ESP-3DES-SHA
crypto map YYY match address xxxx
crypto map YYY set peer xxx
crypto map YYY set ikev1 transform-set ESP-3DES-SHA
crypto map YYY match address xxx
crypto map YYY set peer xxx
crypto map YYY set ikev1 transform-set ESP-3DES-SHA
crypto map YYY interface outside
And the new vpn configuration will use the peer 1.1.1.1 , the acl 139 and the transform set ESP-3DES-SHA:
So you will need:
crypto map YYY 1 match address 1.1.1.1
crypto map YYY 1 set peer 139
crypto map YYY set ikev1 transform-set ESP-3DES-SHA
So the thing is you can have more than one policy or tunnel applied to the same Crypto map on the same interface.
Let me know if I understood correct your question
Regards,
Please rate helpful posts.
Julio!!!
12-08-2011 03:09 PM
Hello Jason,
Thanks for the rating. I was checking the configuration you sent me and well let me beginning letting you know why you may want to use a dynamic crypto map. You will use this particular feature when your peer does not have a static IP address on their VPN_ end interface so the IP will be dynamicly changing. With this feature your ASA will be able to respond via the VPN tunnel all the connections innitiaded from their site, you will not be able to innitiate the communication.
Now in order to apply a dynamic crypto map to an interface you will need first to apply it to a crypto map in the configuration you sent me you have it configured right here:
"crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map"
If you want to have the Dynamic crypto map and the new VPN site-to-site they will need to be under the same interface, and you can only apply one crypto map per interface. so the configuration of the new VPN tunnel would be using instead of the new crypto map name using outside_ map as well.
Hope this helps.
Please rate helpful posts
Julio!!
12-07-2011 01:00 PM
Hello Jason,
First of all you will need to check if your license support the amount of VPN tunnels you are going to build, being the case that you have a version that supports this scenario here is what you need to know.
Lets say you already have 3 VPNs up and running and you want to add a new crypto map for a new tunnel. The crypto map you have been using and you have applied to the interface is called YYY.
crypto map YYY 1 match address xxxxx
crypto map YYY 1 set peer xx
crypto map YYY 1 set ikev1 transform-set ESP-3DES-SHA
crypto map YYY match address xxxx
crypto map YYY set peer xxx
crypto map YYY set ikev1 transform-set ESP-3DES-SHA
crypto map YYY match address xxx
crypto map YYY set peer xxx
crypto map YYY set ikev1 transform-set ESP-3DES-SHA
crypto map YYY interface outside
And the new vpn configuration will use the peer 1.1.1.1 , the acl 139 and the transform set ESP-3DES-SHA:
So you will need:
crypto map YYY 1 match address 1.1.1.1
crypto map YYY 1 set peer 139
crypto map YYY set ikev1 transform-set ESP-3DES-SHA
So the thing is you can have more than one policy or tunnel applied to the same Crypto map on the same interface.
Let me know if I understood correct your question
Regards,
Please rate helpful posts.
Julio!!!
12-07-2011 04:45 PM
Fantastic response and makes complete sense. im working with a firewall i didnt confirgure and to be honest has a ton of junk in it that i do need to fix someday but i was wondering if you could look at the config as it appears they are using dynamic maps and i am confused on the config portion
attached is my command input and the sh run crypto
any guidance would be awesome
thanks again
12-08-2011 03:09 PM
Hello Jason,
Thanks for the rating. I was checking the configuration you sent me and well let me beginning letting you know why you may want to use a dynamic crypto map. You will use this particular feature when your peer does not have a static IP address on their VPN_ end interface so the IP will be dynamicly changing. With this feature your ASA will be able to respond via the VPN tunnel all the connections innitiaded from their site, you will not be able to innitiate the communication.
Now in order to apply a dynamic crypto map to an interface you will need first to apply it to a crypto map in the configuration you sent me you have it configured right here:
"crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map"
If you want to have the Dynamic crypto map and the new VPN site-to-site they will need to be under the same interface, and you can only apply one crypto map per interface. so the configuration of the new VPN tunnel would be using instead of the new crypto map name using outside_ map as well.
Hope this helps.
Please rate helpful posts
Julio!!
12-08-2011 03:11 PM
thanks for the reply jcarvaja i got it figured but thanks again for all your help and quick replys
12-08-2011 03:31 PM
Hello Jason,
Thanks again for the rate, It has been a pleasure, any other question just let me know.
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide