[c-nsp] asa 5520, more than one crypto map?

Ryan West rwest at zyedge.com
Mon Aug 17 18:48:23 EDT 2009 

Scott,

Add the following to your ny-map:

crypto map ny-map 65535 ipsec-isakmp dynamic dynmap

That should get you what you want.

-ryan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
Sent: Monday, August 17, 2009 6:31 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] asa 5520, more than one crypto map?

Hi, I'm having an issue binding more than one map to the outside interface 
so I need someone to set me straight.:)

Background

I have an ASA 5520 that's providing access to a private network via the 
Cisco VPN client. I wish to establish a few LAN-to-LAN sessions to branch 
offices using the same concentrator.

Problem, when I apply one map to the outside interface the previously added 
map is removed.
For example,

IF I have the following in place.
crypto ipsec transform-set ny-trans esp-aes-192 esp-md5-hmac
crypto ipsec transform-set vpn-transform1 esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set vpn-transform1
crypto dynamic-map dynmap 10 set reverse-route
crypto map vpn-ra-map 10 ipsec-isakmp dynamic dynmap
crypto map vpn-ra-map interface outside
and then add the following

crypto map ny-map 10 match address ny-vpn-acl
crypto map ny-map 10 set peer ny-fw-outside
crypto map ny-map 10 set transform-set ny-trans
crypto map ny-map 10 set reverse-route
crypto map ny-map interface outside
I end up with the following in my startup and running configs

crypto dynamic-map dynmap 10 set transform-set vpn-transform1
crypto dynamic-map dynmap 10 set reverse-route
crypto map ny-map 10 match address ny-vpn-acl
crypto map ny-map 10 set peer ny-fw-outside
crypto map ny-map 10 set transform-set ny-trans
crypto map ny-map 10 set reverse-route
crypto map ny-map interface outside
crypto map vpn-ra-map 10 ipsec-isakmp dynamic dynmap


(no vpn-ra-map interface outside for clients)

So my client access breaks as soon as I add the second map for the NY 
LAN-to-LAN tunnel.  What am I doing wrong?  Is there a different way to add 
more than one map to an interface? Any pointers would be appreciated.

Thanks
Scott

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list