Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Configuring ASA IPSEC Tunnels

Status
Not open for further replies.
J001

J001

Technical User
Mar 23, 2007
51
0
0
GB
Hello,

I am new to ASA world so please bear with me.

I have an ASA5525 and want to create site-to-site IPSEC VPN tunnels to 3 peers.

I have an existing /28 public ip address from ISP and want to know if I can use this address for all 3 peers.

Is there a way to overcome this easily ?

Regards,

 
Sort by date Sort by votes
Yes, you can use the same address for all tunnels. The only thing that will change between the three tunnels is the tunnel-group since it needs to be specific to the remote IP address that you are establishing the tunnel with. Simply create your first one and then duplicate that as many times as needed to get the rest of your VPN tunnels up.

 
Upvote 0 Downvote
Hi,

I have attached a test config.

The commands are slightly different on ASA 5525.

I am struggling to find a way to add 2 peers to the outside interface both Map-B and Map-P. What have I done wrong ?

interface GigabitEthernet0/0
description Peering Clients
nameif outside
security-level 0
ip address A.A.A.A 255.255.255.240
!
interface GigabitEthernet0/1
description LAN - Production
nameif inside
security-level 100
ip address x.x.x.x 255.255.255.0


access-list S-VPN extended permit ip 10.10.0.0 255.255.0.0 172.10.0.0 255.255.0.0
access-list S-VPN extended permit ip 10.10.0.0 255.255.0.0 172.20.0.0 255.255.0.0

crypto ipsec ikev1 transform-set S-P esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set S-B esp-3des esp-sha-hmac
crypto map Map-B 10 match address S-VPN
crypto map Map-B 10 set peer C.C.C.C
crypto map Map-P 20 match address S-VPN
crypto map Map-P 20 set peer D.D.D.D

crypto map Map-B interface outside

crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 14400
 
Upvote 0 Downvote
create two crypto ACLs and simply use multiple sequence numbers in your crypto map:
Code: 
access-list C-VPN extended permit ip 10.10.0.0 255.255.0.0 172.10.0.0 255.255.0.0
access-list D-VPN extended permit ip 10.10.0.0 255.255.0.0 172.20.0.0 255.255.0.0

crypto map mymap 10 match address C-VPN
crypto map mymap 10 set peer C.C.C.C
crypto map mymap 20 match address D-VPN
crypto map mymap 20 set peer D.D.D.D

crypto map mymap interface outside

 
Upvote 0 Downvote
Hi,

Thank you for this info.

1) If the C.C.C.C failed can I fail over to another interface and go to another backup site ? I have multipoint sites using Palto Alto and was wondering if I can configure automatic failover of tunnels using ip sla. I have not been sucessful in testing this as yet. The question is how to keep the tunnel up as if there is no traffic flowing across they will go down.

2) Also do I need policy nat to stop duplication of ip's and how do I configure in 8.4 version.



 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

acabezas2014
  • Locked
  • Question
Configuring ASA for Network Segmentation
Replies
1
Views
64
acabezas2014
acabezas2014
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
143
intel233
intel233
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
85
gkreg
gkreg
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
154
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
118
AllenH12
AllenH12

Part and Inventory Search

Sponsor

Back
Top