Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ASA5510 IPSEC VPN Problem/Question.

Posted on 2007-03-29
2
Medium Priority
?
358 Views
Last Modified: 2013-11-16
Hi Guys,

I have a Cisco ASA 5510 with three Ethernet interfaces. I am going to use the unit for ponit-to-point IPSEC VPNs between us and customers. I have one customer that wants to have an IPSEC VPN with a pre shared key of their choosing, and another that will want to do the same!!

I know (or think) that you can only have one crypto map per physical interface. If this is correct then can I have more than one preshared key per physical interface, so I can cater for both customers on the same interface with the same crypto map but different pre shared key? Or do I have to have a different physical interface and public IP per client that needs to do this?

Is there a concept of sub interfaces or not?

I have no clue!! Any help would be much appreciated.

Thanks

Kevin
0
Comment
Question by:kjorviss
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 2000 total points
ID: 18821086
You are correct that you can only have one crypto map per interface.  However, you can have more than one IPSEC tunnel per interface because the crypto map statement allows you to have multiple sequence numbers.  See the following example snippet of an ASA config:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 1.1.1.1
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 30 match address outside_30_cryptomap
crypto map outside_map 30 set peer 2.2.2.2
crypto map outside_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 40 match address outside_30_cryptomap
crypto map outside_map 40 set peer 3.3.3.3
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key *
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 pre-shared-key *
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
 pre-shared-key *

This config has 3 VPN tunnels configured with three different tunnel peers and each with their own pre-shared key...see the following link for more info on the IPSEC tunnel configuration with multiple peers:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

So, the answer to your question about needing multiple interfaces is no.  You can implement VLAN's on the ASA if you need more interfaces than you have physical ones.
0
 

Author Comment

by:kjorviss
ID: 18822672
Thanks for that, it has put my mind at rest.....

Thanks again

Kevin
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question