cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
631
Views
0
Helpful
3
Replies
cmclan2121
Beginner

how to enable ISAKMP outside redundant interface ?

I'm in early stage of configuring a ASA-5520 box for remote VPN access w/ IPSec. I'm trying to enable ISAKMP on the "outside" interface (with vlan).

The outside interface would be the sub-interface 802.1Q for a redundant interface.

                   | === Gi0/0 === < --- > Switch #1

                   |           |

ASA-5520 ==           | +++ Redundant1 +++  Redundant1.251 (vlan251 outside)

                   |           |

                   | === Gi0/2 === < --- > Switch #2

Cisco Adaptive Security Appliance Software Version 8.3(1)4
Device Manager Version 6.3(1)

The command wouldn't succed since the interface does not have a "nameif" (as suggested by cisco.com). If I do set a "nameif" then the redundant interface will pass untagged packets.

The command is "crypto isakmp enable interface-name"

It would be: crypto isakmp enable Redundant1.251 but

Here is my run conf:

interface GigabitEthernet0/0
description Switch_#1
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
description *** not used ***
duplex full
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description Switch_#2
duplex full 
no nameif   
no security-level
no ip address
!            
interface GigabitEthernet0/3
description *** not used ***
duplex full 
shutdown    
no nameif   
no security-level
no ip address

!

interface Management0/0
description mgt-vlan
nameif inside
security-level 100
ip address 172.19.24.66 255.255.254.0
management-only
!
interface Redundant1
description Switch_#1_#2
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface Redundant1.251
description vlan251
vlan 251
no nameif
security-level 100
ip address "outside_ip" 255.255.255.

1 ACCEPTED SOLUTION

Accepted Solutions
Jennifer Halim
Cisco Employee

In this case, you would need to configure the "nameif" command within the subinterface of the redundant interface.


Example:

interface Redundant1.251

     nameif outside

Then, on the crypto isakmp command, you would be able to refer to the above "outside" interface configured via the nameif command:

crypto isakmp enable outside

Hope that helps.

View solution in original post

3 REPLIES 3
Jennifer Halim
Cisco Employee

In this case, you would need to configure the "nameif" command within the subinterface of the redundant interface.


Example:

interface Redundant1.251

     nameif outside

Then, on the crypto isakmp command, you would be able to refer to the above "outside" interface configured via the nameif command:

crypto isakmp enable outside

Hope that helps.

View solution in original post

Great ... but again, I read in some configuration guide "not to assign nameif" to a subint. I will try it.

Thanks

No, you shouldn't configure the nameif command on the physical interface if you have subinterfaces under that particular physical interface purely because that trunk interface would not be tagged, hence it is not recommended to configure any interface settings under the physical trunk interface.

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (42%)

Content for Community-Ad