Solved

Cisco ASA5510 IPSEC VPN Problem/Question.

Posted on 2007-03-29
2
349 Views
Last Modified: 2013-11-16
Hi Guys,

I have a Cisco ASA 5510 with three Ethernet interfaces. I am going to use the unit for ponit-to-point IPSEC VPNs between us and customers. I have one customer that wants to have an IPSEC VPN with a pre shared key of their choosing, and another that will want to do the same!!

I know (or think) that you can only have one crypto map per physical interface. If this is correct then can I have more than one preshared key per physical interface, so I can cater for both customers on the same interface with the same crypto map but different pre shared key? Or do I have to have a different physical interface and public IP per client that needs to do this?

Is there a concept of sub interfaces or not?

I have no clue!! Any help would be much appreciated.

Thanks

Kevin
0
Comment
Question by:kjorviss
2 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 18821086
You are correct that you can only have one crypto map per interface.  However, you can have more than one IPSEC tunnel per interface because the crypto map statement allows you to have multiple sequence numbers.  See the following example snippet of an ASA config:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 1.1.1.1
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 30 match address outside_30_cryptomap
crypto map outside_map 30 set peer 2.2.2.2
crypto map outside_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 40 match address outside_30_cryptomap
crypto map outside_map 40 set peer 3.3.3.3
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key *
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 pre-shared-key *
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
 pre-shared-key *

This config has 3 VPN tunnels configured with three different tunnel peers and each with their own pre-shared key...see the following link for more info on the IPSEC tunnel configuration with multiple peers:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

So, the answer to your question about needing multiple interfaces is no.  You can implement VLAN's on the ASA if you need more interfaces than you have physical ones.
0
 

Author Comment

by:kjorviss
ID: 18822672
Thanks for that, it has put my mind at rest.....

Thanks again

Kevin
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now