Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
0
Helpful
1
Replies

Replacing ASA 55xx with ASR 1001X for Site-Site VPN

navydivervet
Level 1
Level 1

‎06-22-2020 01:20 AM

Replacing several ASA 5540s with ASR 1001X, for S2S Vpn connectivity (50+ sites). Is there a preferred way to migrate the data over? Trying to avoid remote device config changes or affecting the remote clients. Can someone provide example config for the ASR?

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎06-22-2020 01:33 AM

Hi,

Well it depends on how you've configured your ASA, Routed based or Policy Based VPN using IKEv1 or IKEv2?

Below is an example of Policy Based VPN using IKEv1.

 

ip access-list extended ACL_VPN_Map
 permit ip 192.168.1.0 0.0.0.255 10.155.0.0 0.0.0.255

crypto isakmp enable
crypto isakmp policy 1
 encryption aes 128
 authentication pre-share
 group 2
 hash sha
 exit

crypto isakmp key RANdomK3y11 address 1.1.1.2

crypto ipsec transform-set TSET esp-aes 128 esp-sha-hmac

crypto map R2_Map 1 ipsec-isakmp
match address ACL_VPN_Map
set peer 1.1.1.2
set pfs group2
set transform-set TSET

interface gigabitethernet 0/1
 crypto map R2_Map

 

HTH

0 Helpful
Customers Also Viewed These Support Documents