Cisco ASA - 1 crypto map per interface

the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
Hey guys! Ultimately I am looking at setting up about 15 vpn tunnels to different vendors. Is it still the case that there can only be one crypto map per interface (we have an ASA 5515-X)? If so, would I just need to setup one map with multiple policies to get around this issue?

Thanks!
WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff

Comments

  • RouteMyPacketRouteMyPacket Member Posts: 1,104
    I wrote you out an entire example, now it's mysteriously gone. Jesus Christ this site.

    Anyway, you can have one crypto to an intrface yes but you can assign multiple map entries.

    i.e.,

    crypto map remote 10 match address vpn_to_SiteA
    crypto map remote 10 set peer x.x.x.x
    crypto map remote 10 set ikev1 transform-set ESP-AES-256-SHA
    crypto map remote 10 set security-association lifetime seconds 28800

    crypto map remote 20 match address vpn_to_SiteB
    crypto map remote 20 set peer x.x.x.x
    crypto map remote 20 set ikev1 transform-set ESP-AES-256-SHA
    crypto map remote 20 set security-association lifetime seconds 28800


    Then you will have tunnel-groups to reference

    tunnel-group x.x.x.x type ipsec-l2l
    tunnel-group x.x.x.x ipsec-attributes
    ikev1 pre-shared-key cisco123
    Modularity and Design Simplicity:

    Think of the 2:00 a.m. test—if you were awakened in the
    middle of the night because of a network problem and had to figure out the
    traffic flows in your network while you were half asleep, could you do it?
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    Excellent!! Thanks for the info and sorry your example got dropped! This was exactly what I thought would need to be done.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    Had an entire blog post on this, let me try to find. But you basically you set multiple index numbers after the crypto map remote command like RouteMyPacket wrote.
Sign In or Register to comment.