Solved: Re: Why not create 11... site to site vpn on

dongnguyen248 · ‎12-06-2017

Hi everybody!

I created 10 vpn on asa 5525 but when creating vpn 11 it can't.

it is show run :

!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network INSIDE-ASA
subnet 192.168.100.0 255.255.255.0
object network INSIDE-R2
subnet 1.1.1.0 255.255.255.0
object network INSIDE-R3
subnet 2.2.2.0 255.255.255.0
object network INSIDE-R
subnet 3.3.3.0 255.255.255.0
object network INSIDE-R5
subnet 4.4.4.0 255.255.255.0
object network INSIDE-R6
subnet 6.6.6.0 255.255.255.0
object network INSIDE-R7
subnet 7.7.7.0 255.255.255.0
object network INSIDE-R8
subnet 8.8.8.0 255.255.255.0
object network INSIDE-R9
subnet 9.9.9.0 255.255.255.0
object network INSIDE-R11
subnet 11.11.11.0 255.255.255.0
object network INSIDE-R12
subnet 12.12.12.0 255.255.255.0
object network INSIDE-R13
subnet 13.13.13.0 255.255.255.0
access-list VPN extended permit ip object INSIDE-ASA object INSIDE-R2
access-list VPN extended permit ip object INSIDE-ASA object INSIDE-R3
access-list VPN extended permit ip object INSIDE-ASA object INSIDE-R5
access-list VPN extended permit ip object INSIDE-ASA object INSIDE-R
access-list VPN extended permit ip object INSIDE-ASA object INSIDE-R6
access-list VPN extended permit ip object INSIDE-ASA object INSIDE-R7
access-list VPN extended permit ip object INSIDE-ASA object INSIDE-R8
access-list VPN extended permit ip object INSIDE-ASA object INSIDE-R9
access-list VPN extended permit ip object INSIDE-ASA object INSIDE-R11
access-list VPN extended permit ip object INSIDE-ASA object INSIDE-R12
access-list VPN extended permit ip object INSIDE-ASA object INSIDE-R13
pager lines 23
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
router ospf 10
network 10.10.10.0 255.255.255.0 area 0
network 192.168.100.0 255.255.255.0 area 0
log-adj-changes
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map mymap 10 match address VPN
crypto map mymap 10 set peer 10.10.10.1 10.10.10.3 10.10.10.4 10.10.10.5 10.10.10.6 10.10.10.7 10.10.10.8 10.10.10.9 10.10.10.11 10.10.10.12
crypto map mymap 10 set ikev1 transform-set myset
crypto map mymap interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure

Looking forward to the help of everyone.

thank you.

GioGonza · ‎12-07-2017

Hello @dongnguyen248,

So your configuration should look like this:

crypto map mymap 1 match address ACL-1
crypto map mymap 1 set peer 10.10.10.1
crypto map mymap 1 set ikev1 transform-set myset
crypto map mymap 3 match address ACL-3
crypto map mymap 3 set peer 10.10.10.3
crypto map mymap 3 set ikev1 transform-set myset
crypto map mymap 4 match address ACL-4
crypto map mymap 4 set peer 10.10.10.4
crypto map mymap 4 set ikev1 transform-set myset
crypto map mymap 5 match address ACL-5
crypto map mymap 5 set peer 10.10.10.5
crypto map mymap 5 set ikev1 transform-set myset
crypto map mymap 6 match address ACL-6
crypto map mymap 6 set peer 10.10.10.6
crypto map mymap 6 set ikev1 transform-set myset
crypto map mymap 7 match address ACL-7
crypto map mymap 7 set peer 10.10.10.7
crypto map mymap 7 set ikev1 transform-set myset
crypto map mymap 8 match address ACL-8
crypto map mymap 8 set peer 10.10.10.8
crypto map mymap 8 set ikev1 transform-set myset
crypto map mymap 9 match address ACL-9
crypto map mymap 9 set peer 10.10.10.9
crypto map mymap 9 set ikev1 transform-set myset
crypto map mymap 11 match address ACL-11
crypto map mymap 11 set peer 10.10.10.11
crypto map mymap 11 set ikev1 transform-set myset
crypto map mymap 12 match address ACL-12
crypto map mymap 12 set peer 10.10.10.12
crypto map mymap 12 set ikev1 transform-set myset
crypto map mymap interface outside

These are called "entries" and they are defined by a sequence number so every VPN tunnel has the peer, ACL and transform-set. If you want to add more VPN tunnels you just adjust the sequence number, peer IP, ACL and tranform-set for that particular tunnel, for example:

crypto map mymap 13 match address ACL-13
crypto map mymap 13 set peer 10.10.10.13
crypto map mymap 13 set ikev1 transform-set myset

HTH

Gio

View solution in original post

Bogdan Nita · ‎12-06-2017

crypto map with multiple peers is used for redundancy, so I am not sure why you need so many peers connected.

I have never seen until now more then 3 or 4 peers configured.

I would imagine there is a limit to number of peers that can be configured, not sure what it is, but it could be very well be 10.

dongnguyen248 · ‎12-06-2017

HI Bogdan Nita

thanks for reply

we are connected SCADA by vpn site to site.

we need creat many vpn site to site between asa 5525 with each router on power station.

GioGonza · ‎12-06-2017

Hello @dongnguyen248,

Actually, you didn´t configure 10 VPN tunnels. You created 1 VPN tunnel with 9 backups so in your case only one of the 10 will be active and if this fails the other one will go up and so on.

The actual limit for that is 10 so you cannot add number 11 (Stranger Things, huh?) so in this case it will remain until 10. If you want 11 VPN tunnel you should have 11 entries on the crypto map configuration.

HTH

Gio

dongnguyen248 · ‎12-06-2017

Hi GioGonza thanks for reply

But on asa 5525 can creat 750 vpn site to site. when i peer vpn 11 it can't active.

on 1 interface we can only apply 1 crypto map.

Bogdan Nita · ‎12-06-2017

The way to add more VPNs to your config is using the sequence number.

Configuration for a new VPN tunnel, based on the config you posted could look like this:

crypto map mymap 11 match address VPN-10.10.10.13
crypto map mymap 11 set peer 10.10.10.13
crypto map mymap 11 set ikev1 transform-set myset

You should check out this link, to better understand how crypto-maps work:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-ike.html#ID-2441-000003bf

GioGonza · ‎12-07-2017

Hello @dongnguyen248,

So your configuration should look like this:

crypto map mymap 1 match address ACL-1
crypto map mymap 1 set peer 10.10.10.1
crypto map mymap 1 set ikev1 transform-set myset
crypto map mymap 3 match address ACL-3
crypto map mymap 3 set peer 10.10.10.3
crypto map mymap 3 set ikev1 transform-set myset
crypto map mymap 4 match address ACL-4
crypto map mymap 4 set peer 10.10.10.4
crypto map mymap 4 set ikev1 transform-set myset
crypto map mymap 5 match address ACL-5
crypto map mymap 5 set peer 10.10.10.5
crypto map mymap 5 set ikev1 transform-set myset
crypto map mymap 6 match address ACL-6
crypto map mymap 6 set peer 10.10.10.6
crypto map mymap 6 set ikev1 transform-set myset
crypto map mymap 7 match address ACL-7
crypto map mymap 7 set peer 10.10.10.7
crypto map mymap 7 set ikev1 transform-set myset
crypto map mymap 8 match address ACL-8
crypto map mymap 8 set peer 10.10.10.8
crypto map mymap 8 set ikev1 transform-set myset
crypto map mymap 9 match address ACL-9
crypto map mymap 9 set peer 10.10.10.9
crypto map mymap 9 set ikev1 transform-set myset
crypto map mymap 11 match address ACL-11
crypto map mymap 11 set peer 10.10.10.11
crypto map mymap 11 set ikev1 transform-set myset
crypto map mymap 12 match address ACL-12
crypto map mymap 12 set peer 10.10.10.12
crypto map mymap 12 set ikev1 transform-set myset
crypto map mymap interface outside

These are called "entries" and they are defined by a sequence number so every VPN tunnel has the peer, ACL and transform-set. If you want to add more VPN tunnels you just adjust the sequence number, peer IP, ACL and tranform-set for that particular tunnel, for example:

crypto map mymap 13 match address ACL-13
crypto map mymap 13 set peer 10.10.10.13
crypto map mymap 13 set ikev1 transform-set myset

HTH

Gio

dongnguyen248 · ‎12-07-2017

Thanks GioGonza.

this is solution for me.

thank you.