cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1570
Views
10
Helpful
3
Replies

ASA 5506-X L2L VPN

mickyq
Beginner
Beginner

I am trying to create a l2l vpn over an internal network. The inside interface

is facing the internal network, the outside facing a third party network.

Using an ASA 5506-X I cant enable the crypto map on the inside interface. The only option I get to apply the crypto map is the outside interface.

 

Thrid Party Network ---- firewall --- internal LAN ----- firewall ----third party network
                                             <--------------------->
                                                              VPN

 

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 172.2.5.1 255.255.255.0
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside1
security-level 100
!
interface BVI1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
object network OBJ-STAFF
subnet 172.2.5.0 255.255.255.0
!
object network OBJ-ANY
subnet 0.0.0.0 0.0.0.0
!
access-list vpn-traffic extended permit ip object OBJ-STAFF object OBJ-ANY
!
crypto ipsec ikev1 transform-set VPN esp-aes-256 esp-sha-hmac
!
crypto map HS 10 match address vpn-traffic
crypto map HS 10 set peer 10.1.1.2
crypto map HS 10 set ikev1 transform-set VPN
crypto map HS 10 set security-association lifetime seconds 7200
crypto ca trustpool policy
crypto ikev1 enable inside1
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
!
tunnel-group 10.1.1.2 type ipsec-l2l
tunnel-group 10.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****
!
###############################################

(config)# cry map HS interface ?

configure mode commands/options:
Current available interface(s):
outside Name of interface GigabitEthernet1/1

###############################################

(config)# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet1/1 outside 172.2.5.1 255.255.255.0 manual
GigabitEthernet1/2 inside1 10.1.1.1 255.255.255.0 manual
BVI1 inside 10.1.1.1 255.255.255.0 manual

###############################################



 

1 Accepted Solution

Accepted Solutions

Shinpei Kono
Cisco Employee
Cisco Employee

Hi, crypto map command is disabled for BVI and BVI member interface because VPN termination is not supported on BVI. Unbind bridge-group and remove BVI then configure IP setting on Gi1/2 if you just have the single interface that has 10.1.1.0/24. I don't think you have other BVI members impacted by the change given that all the IP traffic received on outside to any destination is subject to vpn-traffic ACL.

View solution in original post

3 Replies 3

Shinpei Kono
Cisco Employee
Cisco Employee

Hi, crypto map command is disabled for BVI and BVI member interface because VPN termination is not supported on BVI. Unbind bridge-group and remove BVI then configure IP setting on Gi1/2 if you just have the single interface that has 10.1.1.0/24. I don't think you have other BVI members impacted by the change given that all the IP traffic received on outside to any destination is subject to vpn-traffic ACL.

Thanks Shinpei.
ill give that a try and let you know.
sorry for the late reply, i didnt receive an email to say i had a message.

No worries. I am glad the issue seemed to be resolved.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: