01-18-2016 07:11 PM
Hi there
I have a requirement to configure a site-to-site VPN on a ASA 5506 which is configured as a PPPoE client on its outside interface. I'm looking for any documentation or advice on on how the VPN section should be configured. Currently I have the following Configuration but I'll not sure if this would work as on the ASDM there is a error (red X) saying "This interface has crypto map configuration. It cannot be a part of Traffice Zone". Please see the attached for the error.
Interface config
interface GigabitEthernet1/1
nameif outside
security-level 0
pppoe client vpdn group ABCD
ip address pppoe setroute
!
PPPoE Config
vpdn group ABCD request dialout pppoe
vpdn group ABCD localname user@spark.co.nz
vpdn group ABCD ppp authentication pap
vpdn username user password *****
VPN Config
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
group-policy GroupPolicy_x.x.x.x internal
group-policy GroupPolicy_x.x.x.x attributes
vpn-tunnel-protocol ikev1
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy GroupPolicy_x.x.x.x
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
The 5506 is for a remote site so I would like to make sure I have the configuration right. It would be great if someone could point me to the correct documentation or confirm that this config is correct and if I should be worried about the attached error. I know on the routers the crypto map has to be applied to the dialer interface. Is it something similar for ASAs ?
Thanks in advance.
01-19-2016 12:12 AM
You should not be using traffic zones in this scenario, so ignore that error.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide