cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1288
Views
10
Helpful
3
Replies
mickyq
Beginner

ASA 5506-X L2L VPN

I am trying to create a l2l vpn over an internal network. The inside interface

is facing the internal network, the outside facing a third party network.

Using an ASA 5506-X I cant enable the crypto map on the inside interface. The only option I get to apply the crypto map is the outside interface.

 

Thrid Party Network ---- firewall --- internal LAN ----- firewall ----third party network
                                             <--------------------->
                                                              VPN

 

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 172.2.5.1 255.255.255.0
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside1
security-level 100
!
interface BVI1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
object network OBJ-STAFF
subnet 172.2.5.0 255.255.255.0
!
object network OBJ-ANY
subnet 0.0.0.0 0.0.0.0
!
access-list vpn-traffic extended permit ip object OBJ-STAFF object OBJ-ANY
!
crypto ipsec ikev1 transform-set VPN esp-aes-256 esp-sha-hmac
!
crypto map HS 10 match address vpn-traffic
crypto map HS 10 set peer 10.1.1.2
crypto map HS 10 set ikev1 transform-set VPN
crypto map HS 10 set security-association lifetime seconds 7200
crypto ca trustpool policy
crypto ikev1 enable inside1
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
!
tunnel-group 10.1.1.2 type ipsec-l2l
tunnel-group 10.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****
!
###############################################

(config)# cry map HS interface ?

configure mode commands/options:
Current available interface(s):
outside Name of interface GigabitEthernet1/1

###############################################

(config)# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet1/1 outside 172.2.5.1 255.255.255.0 manual
GigabitEthernet1/2 inside1 10.1.1.1 255.255.255.0 manual
BVI1 inside 10.1.1.1 255.255.255.0 manual

###############################################



 

1 ACCEPTED SOLUTION

Accepted Solutions
Shinpei Kono
Cisco Employee

Hi, crypto map command is disabled for BVI and BVI member interface because VPN termination is not supported on BVI. Unbind bridge-group and remove BVI then configure IP setting on Gi1/2 if you just have the single interface that has 10.1.1.0/24. I don't think you have other BVI members impacted by the change given that all the IP traffic received on outside to any destination is subject to vpn-traffic ACL.

View solution in original post

3 REPLIES 3
Shinpei Kono
Cisco Employee

Hi, crypto map command is disabled for BVI and BVI member interface because VPN termination is not supported on BVI. Unbind bridge-group and remove BVI then configure IP setting on Gi1/2 if you just have the single interface that has 10.1.1.0/24. I don't think you have other BVI members impacted by the change given that all the IP traffic received on outside to any destination is subject to vpn-traffic ACL.

View solution in original post

Thanks Shinpei.
ill give that a try and let you know.
sorry for the late reply, i didnt receive an email to say i had a message.

No worries. I am glad the issue seemed to be resolved.

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (50%)

Content for Community-Ad