[c-nsp] asa 5520, more than one crypto map?
Scott Granados
gsgranados at comcast.net
Mon Aug 17 18:30:34 EDT 2009
Hi, I'm having an issue binding more than one map to the outside interface
so I need someone to set me straight.:)
Background
I have an ASA 5520 that's providing access to a private network via the
Cisco VPN client. I wish to establish a few LAN-to-LAN sessions to branch
offices using the same concentrator.
Problem, when I apply one map to the outside interface the previously added
map is removed.
For example,
IF I have the following in place.
crypto ipsec transform-set ny-trans esp-aes-192 esp-md5-hmac
crypto ipsec transform-set vpn-transform1 esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set vpn-transform1
crypto dynamic-map dynmap 10 set reverse-route
crypto map vpn-ra-map 10 ipsec-isakmp dynamic dynmap
crypto map vpn-ra-map interface outside
and then add the following
crypto map ny-map 10 match address ny-vpn-acl
crypto map ny-map 10 set peer ny-fw-outside
crypto map ny-map 10 set transform-set ny-trans
crypto map ny-map 10 set reverse-route
crypto map ny-map interface outside
I end up with the following in my startup and running configs
crypto dynamic-map dynmap 10 set transform-set vpn-transform1
crypto dynamic-map dynmap 10 set reverse-route
crypto map ny-map 10 match address ny-vpn-acl
crypto map ny-map 10 set peer ny-fw-outside
crypto map ny-map 10 set transform-set ny-trans
crypto map ny-map 10 set reverse-route
crypto map ny-map interface outside
crypto map vpn-ra-map 10 ipsec-isakmp dynamic dynmap
(no vpn-ra-map interface outside for clients)
So my client access breaks as soon as I add the second map for the NY
LAN-to-LAN tunnel. What am I doing wrong? Is there a different way to add
more than one map to an interface? Any pointers would be appreciated.
Thanks
Scott
More information about the cisco-nsp
mailing list