Solved

Cisco ASA5510 IPSEC VPN Problem/Question.

Posted on 2007-03-29
2
347 Views
Last Modified: 2013-11-16
Hi Guys,

I have a Cisco ASA 5510 with three Ethernet interfaces. I am going to use the unit for ponit-to-point IPSEC VPNs between us and customers. I have one customer that wants to have an IPSEC VPN with a pre shared key of their choosing, and another that will want to do the same!!

I know (or think) that you can only have one crypto map per physical interface. If this is correct then can I have more than one preshared key per physical interface, so I can cater for both customers on the same interface with the same crypto map but different pre shared key? Or do I have to have a different physical interface and public IP per client that needs to do this?

Is there a concept of sub interfaces or not?

I have no clue!! Any help would be much appreciated.

Thanks

Kevin
0
Comment
Question by:kjorviss
2 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 18821086
You are correct that you can only have one crypto map per interface.  However, you can have more than one IPSEC tunnel per interface because the crypto map statement allows you to have multiple sequence numbers.  See the following example snippet of an ASA config:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 1.1.1.1
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 30 match address outside_30_cryptomap
crypto map outside_map 30 set peer 2.2.2.2
crypto map outside_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 40 match address outside_30_cryptomap
crypto map outside_map 40 set peer 3.3.3.3
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key *
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 pre-shared-key *
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
 pre-shared-key *

This config has 3 VPN tunnels configured with three different tunnel peers and each with their own pre-shared key...see the following link for more info on the IPSEC tunnel configuration with multiple peers:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

So, the answer to your question about needing multiple interfaces is no.  You can implement VLAN's on the ASA if you need more interfaces than you have physical ones.
0
 

Author Comment

by:kjorviss
ID: 18822672
Thanks for that, it has put my mind at rest.....

Thanks again

Kevin
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now