Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Multiple VPN in single Crypto Map 1

Status
Not open for further replies.
captnops

captnops

IS-IT--Management
Feb 12, 2003
141
0
0
I have a need to create multiple L2L VPN Tunnels to multiple customers. What is the syntax to create those tunnels in a single crypto map?

TIA

 
Sort by date Sort by votes
the same as you would to create a single vpn. the 'map' is just that, how the device is going to build the tunnel.
 
Upvote 0 Downvote
Thank you. My issue is that I know I can create multiple L2L vpns under a single crypto map, but I also have a need to incorporate a dymanic remote access vpn into the same map.

I did not word my question appropriately! :)

Thanks again for the help
 
Upvote 0 Downvote
it's no problem. you would do something like this:
Code: 
crypto ipsec transform-set myset esp-aes esp-sha-hmac

crypto dynamic-map mymap 10
 set transform-set myset

crypto map mymap 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set myset
 match address crypto_acl1
crypto map mymap 20 ipsec-isakmp
 set peer x.x.x.x
 set transform-set myset
 match address crytpo_acl2
crypto map mymap 100 ipsec-isakmp dynamic dynmap

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Thanks for all the help!
 
Upvote 0 Downvote
Opps....I do have another question.

This 2811 will host multiple VPNS (Remote Access, 2 L2Ls)
The L2L are going to two different companies. Once of those companies just asked me to NAT the traffic to a specific network prior to encrypting.

I know that I can do that with:
IP NAT INSIDE SOURCE STATIC NETWORK x.x.x.x y.y.y.y /24

My question is this: How do I prevent the traffic for the other L2L VPN from using this NAT? And Vica Versa.

Thanks
 
Upvote 0 Downvote
you could use a route-map

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Would you folks be so kind as to review my config and advise. I cannot get the second tunnel (VPN 2) to come up. This tunnel requires that I source NAT my internal traffic destined for their network from a 10.10.X.X to a 10.129.XX.X subnet.

_____________________________

Current configuration : 2993 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RH2811-B
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 52000
enable secret xxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login userauthen local
!
!
aaa session-id common
no network-clock-participate wic 0
!
dot11 syslog
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip cef
!
!
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
voice-card 0
no dspfarm
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 XXXXXXXXX address 206.xx.xx.xx
crypto isakmp key XXXXXXXXXX address 12.xx.xx.xx
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set VPN1-VPN esp-3des esp-sha-hmac
crypto ipsec transform-set VPN2-VPN esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer 206.xx.xx.xx
set transform-set VPN1-VPN
match address 100
crypto map VPN 2 ipsec-isakmp
set peer 12.xxx.xx.xx
set transform-set VPN2-VPN
match address 101
!
!
!
controller T1 0/0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24

interface FastEthernet0/0
description GHDSI INTERNAL LAN
ip address 10.10.xxx.xxx 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/1
description GHDSI EXTERNAL WAN
ip address 173.xxx.xxx.xxx 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex full
speed 100
crypto map VPN
!
interface Serial0/0/0:0
description QWEST INTERNET CIRCUIT ID# DS1IT 14436097
no ip address
ip virtual-reassembly
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 173.xxx.xxx.xxx
!
!
ip http server
no ip http secure-server
ip nat inside source route-map VPN1 interface FastEthernet0/1 overload
ip nat inside source static 10.10.xxx.xxx 10.129.40.0 route-map VPN2MAP
!
no logging trap
access-list 100 permit ip any any
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any administratively-prohibited
access-list 101 permit ip any any
!
!
!
!
route-map VPN1 permit 10
match ip address 100
!
route-map VPN2 permit 10
match ip address 101
!
!
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password 7 0045120209520547
transport input telnet
!
scheduler allocate 20000 1000
end

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
37
quazimotto
quazimotto
stanlyn
  • Locked
  • Question
HowTo Install Multiple PAP2T ATA Devices on Same Lan
Replies
3
Views
85
iggsterman
iggsterman
telemarksman
  • Locked
  • Question
ATA Cisco SPA122 not triggering single line courtesy phone ringer
Replies
0
Views
49
telemarksman
telemarksman
PThomp3344
  • Locked
  • Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
90
bdk76
bdk76
Willi DB
  • Locked
  • Question
Polycom410 Forward an incoming call
Replies
0
Views
41
Willi DB
Willi DB

Part and Inventory Search

Sponsor

Back
Top