ASA 5505 with 8.4 image

Riccardo Veraldi · ‎07-27-2011

Hello,

I upgaded my cisco asa from 7.2 to 8.4 system image.

now the old syle syntax

isakmp policy ...

is not working anymore and I am not able to write a isakmp policy to being used for remote access VPN.

on many examples on cisco site I ahve seen that it is always used cisc oanyconnect client

isntalled on ASA.

this means that the old configuration compatible with cisco vpn client IPSEC is no more usable ?

or what kind of syntax I have to use to configure remote access VPN ?

for example these commands are not workign anymore

hostname(config)# isakmp policy 1 authentication pre-share

hostname(config)# isakmp policy 1 encryption 3des

hostname(config)# isakmp policy 1 hash sha

hostname(config)# isakmp policy 1 group 2

hostname(config)# isakmp policy 1 lifetime 43200

any hints ?

thank you

Jason Gervia · ‎07-27-2011

This change was made a while ago - it should be 'crypto isakmp policy', no isakmp policy. IPSec is still fully supported in all ASA models.

Looks like it was made in 7.2(1)

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2040032

They probably just removed the old deprecated commands in 8.4. You should look for VPN examples that are 8.x and above:

http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b4ae61.shtml#CLI

That's an example of an L2L with a router and an ASA, and the ASA shows how the 'new' commands are used.

--Jason

Riccardo Veraldi · ‎07-28-2011

I have asa with image 8.4(2) and there is no crypto isakmp policy avaliable on the command line

ciscoasa(config)# crypto isakmp ?

configure mode commands/options:

disconnect-notify Enable disconnect notification to peers

identity Set identity type (address, hostname or key-id)

nat-traversal Enable and configure nat-traversal

reload-wait Wait for voluntary termination of existing connections

before reboot

so how can I configure anything ?? I have to revert to version prior to 8.3 ??

the example reported here

http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b4ae61.shtml#CLI

refers to a asa image version prior to 8.3 I think beause there is still hte old style NAT syntax.

anyway on 8.4 there is NO crypto isakmp policy or isakmp policy avaliable on command line, so I guess how I Can set up VPNs ?

thank you very much

My ASA:

Cisco Adaptive Security Appliance Software Version 8.4(2)

Device Manager Version 6.4(5)

Compiled on Wed 15-Jun-11 18:17 by builders

System image file is "disk0:/asa842-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 1 day 10 hours

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash M50FW080 @ 0xfff00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06

Number of accelerators: 1

0: Int: Internal-Data0/0 : address is 0023.5e2d.fefc, irq 11

1: Ext: Ethernet0/0 : address is 0023.5e2d.fef4, irq 255

2: Ext: Ethernet0/1 : address is 0023.5e2d.fef5, irq 255

3: Ext: Ethernet0/2 : address is 0023.5e2d.fef6, irq 255

4: Ext: Ethernet0/3 : address is 0023.5e2d.fef7, irq 255

Riccardo Veraldi · ‎07-28-2011

I think the new syntax is

crypto ikev1 policy

or

crypto ikev2 policy

and I think it changed since 8.3+

but there is no documentation around as for the previous ASA image versions

Jason Gervia · ‎07-28-2011

Riccardo,

I hadn't tested 8.4, but you're right. They changed it in 8.4 (it was still crypto isakmp in 8.3) due to the addition of IKEV2.

Prior to 7.2(1) 7.2(1)-8.3 8.4

isakmp policy crypto isakmp policy crypto ikev1 policy # (enter subcommands)

crypto ipsec transform-set crypto ipsec transform-set crypto ipsec ikev1 transform-set

--J