Resolution
In order to move LAN-to-LAN VPN configuration from PIX version 6.3 to PIX/ASA version 7.x, refer to this checklist:
-
In version 6.x for crypto map and NAT0 normal ip access lists were used, however in 7.x, extended access-list is used.
In version 6.x, there was no concept of tunnel group, however in version 7.x, in order to create and manage the database of connection-specific records for ipsec-l2l IPsec (LAN-to-LAN) tunnels, use the tunnel-group command in global configuration mode. For LAN-to-LAN connections, the name of the tunnel group must be the IP address of the IPsec peer.
In version 6.x, in order to configure preshared key for LAN-to-LAN tunnel the isakmp key command was used, but in version 7.x, the pre-shared-key is configured under tunnel group. For example:-
ISAKMP key configuration for version 6.x
isakmp key ******** address 192.168.1.52 netmask 255.255.255.255
ISAKMP key configuration for version 7.x
tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.20.20.1 ipsec-attributes
pre-shared-key *
Refer to this checklist in order to move VPN client configuration from version 6.x to 7.x:
In version 6.x and 7.x, the commands to configure dynamic crypto map, ISAKMP policy, NAT 0 access-list and Transform set remains same. The configuration in regards to these commands are copied and pasted on the PIX/ASA version 7.x without a problem.
-
