Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1085
Views
0
Helpful
3
Replies

S2S VPN: Configuring tunnel-group in CLI doesn't create connection profile in ASDM

Go to solution
Josh Morris
Level 3
Level 3

‎01-30-2020 08:35 AM

Hi, I am working on templatizing my VPN deployments and would like to deploy all config in the CLI. When I try the following config in the CLI, I do not get a connection profile to show up in the ASDM. But when I configure a connection profile in the ASDM, this is the config that gets deployed in the CLI. How can I get the connection profile to show up in the ASDM?

 

object network 10.12.47.0-28
 subnet 10.12.47.0 255.255.255.240
 description Local Reservations
!
object network REMOTE_DGA_SUBNET1
 subnet 10.x.0.0 255.255.255.0
 description Dynamix Test Subnet
!
object network REMOTE_DGA_SUBNET2
 subnet 10.x.0.0 255.255.0.0
 description Dynamix Test Subnet
!
object-group network DGA_TESTING_LAB
network-object object REMOTE_DGA_SUBNET1
network-object object REMOTE_DGA_SUBNET2
exit
!
crypto ipsec ikev2 ipsec-proposal IKEV2_AESGCM-SHA
 protocol esp encryption aes-gcm-256
 protocol esp integrity sha-384
!
group-policy S2S_IKEv2_POLICY internal
group-policy S2S_IKEv2_POLICY attributes
 vpn-tunnel-protocol ikev2 
exit
!
tunnel-group S2S_DGA type ipsec-l2l
tunnel-group S2S_DGA general-attributes
 default-group-policy S2S_IKEv2_POLICY
tunnel-group S2S_DGA ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
exit
!
access-list S2S_DGA_ACL line 1 extended permit ip object 10.12.47.0-28 object-group DGA_TESTING_LAB
!
crypto map outside_map 1 match address S2S_DGA_ACL
crypto map outside_map 1 set pfs group20
crypto map outside_map 1 set peer XXX.XXX.XXX.XXX
crypto map outside_map 1 set ikev2 ipsec-proposal IKEV2_AESGCM-SHA
crypto map outside_map 1 set ikev2 pre-shared-key *****
crypto map outside_map 1 set nat-t-disable
!
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
RS_58556
Cisco Employee
Cisco Employee

‎01-31-2020 12:36 AM - edited ‎01-31-2020 12:37 AM

Hi,

 

Did you configured names to map S2S_DGA (mapping the name to ip address). 

ex.: enable ASA to use names:

 

ASA(config)#names

name 1.1.1.1 S2S_DGA    << and then do the mapping.


Without it, the tunnel-group will not reflect under Connection Profiles (along with the crypto map mapped to an interface)

 

Regarding the crypto map binding: https://cdetsng.cisco.com/summary/#/defect/CSCuv84832

 

Hope this helps. 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
RS_58556
Cisco Employee
Cisco Employee

‎01-31-2020 12:36 AM - edited ‎01-31-2020 12:37 AM

Hi,

 

Did you configured names to map S2S_DGA (mapping the name to ip address). 

ex.: enable ASA to use names:

 

ASA(config)#names

name 1.1.1.1 S2S_DGA    << and then do the mapping.


Without it, the tunnel-group will not reflect under Connection Profiles (along with the crypto map mapped to an interface)

 

Regarding the crypto map binding: https://cdetsng.cisco.com/summary/#/defect/CSCuv84832

 

Hope this helps. 

 

0 Helpful

Go to solution
Josh Morris
Level 3
Level 3
In response to RS_58556

‎01-31-2020 10:06 AM

This is exactly what I was missing. Thanks!

0 Helpful

Go to solution
RS_58556
Cisco Employee
Cisco Employee
In response to Josh Morris

‎01-31-2020 08:17 PM

Glad was able to help.
0 Helpful
Customers Also Viewed These Support Documents