Cisco ASA5510 IPSEC VPN Problem/Question.

Hi Guys,

I have a Cisco ASA 5510 with three Ethernet interfaces. I am going to use the unit for ponit-to-point IPSEC VPNs between us and customers. I have one customer that wants to have an IPSEC VPN with a pre shared key of their choosing, and another that will want to do the same!!

I know (or think) that you can only have one crypto map per physical interface. If this is correct then can I have more than one preshared key per physical interface, so I can cater for both customers on the same interface with the same crypto map but different pre shared key? Or do I have to have a different physical interface and public IP per client that needs to do this?

Is there a concept of sub interfaces or not?

I have no clue!! Any help would be much appreciated.

Thanks

Kevin
kjorvissAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

batry_boyCommented:
You are correct that you can only have one crypto map per interface.  However, you can have more than one IPSEC tunnel per interface because the crypto map statement allows you to have multiple sequence numbers.  See the following example snippet of an ASA config:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 1.1.1.1
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 30 match address outside_30_cryptomap
crypto map outside_map 30 set peer 2.2.2.2
crypto map outside_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 40 match address outside_30_cryptomap
crypto map outside_map 40 set peer 3.3.3.3
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key *
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 pre-shared-key *
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
 pre-shared-key *

This config has 3 VPN tunnels configured with three different tunnel peers and each with their own pre-shared key...see the following link for more info on the IPSEC tunnel configuration with multiple peers:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

So, the answer to your question about needing multiple interfaces is no.  You can implement VLAN's on the ASA if you need more interfaces than you have physical ones.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kjorvissAuthor Commented:
Thanks for that, it has put my mind at rest.....

Thanks again

Kevin
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.