Solved

Cisco ASA5510 IPSEC VPN Problem/Question.

Posted on 2007-03-29
2
343 Views
Last Modified: 2013-11-16
Hi Guys,

I have a Cisco ASA 5510 with three Ethernet interfaces. I am going to use the unit for ponit-to-point IPSEC VPNs between us and customers. I have one customer that wants to have an IPSEC VPN with a pre shared key of their choosing, and another that will want to do the same!!

I know (or think) that you can only have one crypto map per physical interface. If this is correct then can I have more than one preshared key per physical interface, so I can cater for both customers on the same interface with the same crypto map but different pre shared key? Or do I have to have a different physical interface and public IP per client that needs to do this?

Is there a concept of sub interfaces or not?

I have no clue!! Any help would be much appreciated.

Thanks

Kevin
0
Comment
Question by:kjorviss
2 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
Comment Utility
You are correct that you can only have one crypto map per interface.  However, you can have more than one IPSEC tunnel per interface because the crypto map statement allows you to have multiple sequence numbers.  See the following example snippet of an ASA config:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 1.1.1.1
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 30 match address outside_30_cryptomap
crypto map outside_map 30 set peer 2.2.2.2
crypto map outside_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 40 match address outside_30_cryptomap
crypto map outside_map 40 set peer 3.3.3.3
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key *
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 pre-shared-key *
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
 pre-shared-key *

This config has 3 VPN tunnels configured with three different tunnel peers and each with their own pre-shared key...see the following link for more info on the IPSEC tunnel configuration with multiple peers:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

So, the answer to your question about needing multiple interfaces is no.  You can implement VLAN's on the ASA if you need more interfaces than you have physical ones.
0
 

Author Comment

by:kjorviss
Comment Utility
Thanks for that, it has put my mind at rest.....

Thanks again

Kevin
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now