Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2012
Views
4
Helpful
6
Replies

enable lan2lan connection via "webpage"

gerard van rij
Level 1
Level 1

‎08-22-2011 05:29 AM

Dear all,

we have a cisco ASA 5510 which is also used for lan2lan connections. we have the following "problem".

certain companies can only have access when we allow. currently this has to be done via ASDM/SSH. is there a way to make this easier? e.g. via a script or webpage? so that an end user can do this and that they don't have to rely on the IT guys.

regards,

Gerard

Labels:
0 Helpful
6 Replies 6

raga.fusionet
Level 4
Level 4

‎08-24-2011 10:01 PM

Hello Gerard,

There is no easy way to do this, not a Cisco supported way if you want to call it like that.

The only way to disable a L2L tunnel would be thru SSH or ASDM.

Now if you manage to create a script that logs in to the ASA via SSH and does something like:

no crypto map outside_map 1 match address outside_1_cryptomap

That would "disable"  your first tunnel. To enable it you would have to do the equivalent but with

crypto map outside_map 1 match address outside_1_cryptomap

You can then invoke the script from a CLI or a Web page.

I think that is the closest thing you could do and that would allow you "disable" tunnels without having to get in the ASA and do it manually.

I hope this helps.

Raga

raga.fusionet
Level 4
Level 4
In response to gerard van rij

‎08-25-2011 06:02 AM

Yeah, Exactlly that's kind of what you need. Perl is also a very strong languaje for scripting, if you have someone on your team that knows Perl Scripting it might be even easier.

I hope this helps.

Raga

Please remember to mark this question as answered. Thanks!

0 Helpful

gerard van rij
Level 1
Level 1
In response to raga.fusionet

‎08-25-2011 06:20 AM

Dear Raga,

the only thing I think I need to sort is a privilage level for a user

privilege level 5 mode group-policy "command"

any idea how this works?

via ADSM I got the following commands to enable and disable a lan2lan connection

enable

      group-policy lan-2-lan-test attributes

        vpn-tunnel-protocol svc IPSec

disable

      group-policy lan-2-lan-test attributes

        vpn-tunnel-protocol svc

thanks

Gerard

0 Helpful

raga.fusionet
Level 4
Level 4
In response to gerard van rij

‎08-25-2011 07:41 AM

Gerard, to be hones I've never played with privilege levels so I cant really guide you on that. However, someone else asked about it before.

Feel free to check the following post:

https://supportforums.cisco.com/thread/2040973

I hope this helps.

Have fun.

Raga.

0 Helpful

vabruno
Level 1
Level 1

‎09-22-2011 07:58 PM

Gerald,

I would like to give you another option rather the taking the tunnel down you cam created timed ACL's which will allow you to disable all or portions of the tunnel access rather than an all on/off switch which is what your script will do. If you are looking for the flexibility to possibly monitor a device across the tunnel but disable all other access then just use timed acl's to achieve this. This way you cam monitor the uptime of your tunnels and avoid technical issues after enabling the tunnel.

Sent from Cisco Technical Support iPhone App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents