Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2294
Views
10
Helpful
3
Replies

ASA 5506-X L2L VPN

Go to solution
mickyq
Level 1
Level 1

‎09-12-2018 05:31 AM - edited ‎02-21-2020 08:13 AM

I am trying to create a l2l vpn over an internal network. The inside interface

is facing the internal network, the outside facing a third party network.

Using an ASA 5506-X I cant enable the crypto map on the inside interface. The only option I get to apply the crypto map is the outside interface.

 

Thrid Party Network ---- firewall --- internal LAN ----- firewall ----third party network
                                             <--------------------->
                                                              VPN

 

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 172.2.5.1 255.255.255.0
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside1
security-level 100
!
interface BVI1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
object network OBJ-STAFF
subnet 172.2.5.0 255.255.255.0
!
object network OBJ-ANY
subnet 0.0.0.0 0.0.0.0
!
access-list vpn-traffic extended permit ip object OBJ-STAFF object OBJ-ANY
!
crypto ipsec ikev1 transform-set VPN esp-aes-256 esp-sha-hmac
!
crypto map HS 10 match address vpn-traffic
crypto map HS 10 set peer 10.1.1.2
crypto map HS 10 set ikev1 transform-set VPN
crypto map HS 10 set security-association lifetime seconds 7200
crypto ca trustpool policy
crypto ikev1 enable inside1
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
!
tunnel-group 10.1.1.2 type ipsec-l2l
tunnel-group 10.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****
!
###############################################

(config)# cry map HS interface ?

configure mode commands/options:
Current available interface(s):
outside Name of interface GigabitEthernet1/1

###############################################

(config)# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet1/1 outside 172.2.5.1 255.255.255.0 manual
GigabitEthernet1/2 inside1 10.1.1.1 255.255.255.0 manual
BVI1 inside 10.1.1.1 255.255.255.0 manual

###############################################



 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Shinpei Kono
Cisco Employee
Cisco Employee

‎09-13-2018 07:15 PM

Hi, crypto map command is disabled for BVI and BVI member interface because VPN termination is not supported on BVI. Unbind bridge-group and remove BVI then configure IP setting on Gi1/2 if you just have the single interface that has 10.1.1.0/24. I don't think you have other BVI members impacted by the change given that all the IP traffic received on outside to any destination is subject to vpn-traffic ACL.

View solution in original post

3 Replies 3

Go to solution
Shinpei Kono
Cisco Employee
Cisco Employee

‎09-13-2018 07:15 PM

Hi, crypto map command is disabled for BVI and BVI member interface because VPN termination is not supported on BVI. Unbind bridge-group and remove BVI then configure IP setting on Gi1/2 if you just have the single interface that has 10.1.1.0/24. I don't think you have other BVI members impacted by the change given that all the IP traffic received on outside to any destination is subject to vpn-traffic ACL.

Go to solution
mickyq
Level 1
Level 1
In response to Shinpei Kono

‎09-17-2018 06:29 AM

Thanks Shinpei.
ill give that a try and let you know.
sorry for the late reply, i didnt receive an email to say i had a message.
0 Helpful

Go to solution
Shinpei Kono
Cisco Employee
Cisco Employee
In response to mickyq

‎09-19-2018 06:11 PM

No worries. I am glad the issue seemed to be resolved.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card