Help on Enabling and Configuring VPN on ASA5520 Problem

Unanswered Question
Sep 6th, 2008

Hello, we recently bought a pair of ASA5520, we plan to replace our old Pix firewalls. ASA and multiple contexts are new to us.

We've upgraded the firmware to the lastest ASA 8.04, ASDM 6.1(3).

We've configured failovers, the firewall accesses are working fine. We put all config on Admin context. However, when we're trying to configure VPN (client and Site to Site), we are having a problem, we cannot add VPN configuration.

(a) On ASDM configuration, there is no IPSEC VPN or SSL VPN Wizard as mentioned on instructions; Only Wizards avaliable to use are Startup, High Avaliability, and Packet Capture. How to show more Wizards?

(b) On the CLC, it doesn't take isakmp ipsec or crypto ipsec commands. The only commands can use under Crypto command is CA and KEY. I tried to configure the VPN under Contexts or Global configuration, it doesn't take any VPN configuration commands as I would do under Pix.

ASA/admin(config)# isakmp policy 2 encryption des

ERROR: % Invalid input detected at '^' marker.

ASA/admin(config)# crypto ipsec transform-set VPN esp-3des esp-sha-hmac

ERROR: % Invalid input detected at '^' marker.

Is there something we're missing here?

Licensed features for this platform:

Cisco Adaptive Security Appliance Software Version 8.0(4) <context>

Device Manager Version 6.1(3)

Compiled on Thu 07-Aug-08 20:53 by builders

ASA up 22 hours 34 mins

failover cluster up 22 hours 34 mins

Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Ext: GigabitEthernet0/0 : address is 001f.caf0.2bd6, irq 9

1: Ext: GigabitEthernet0/1 : address is 001f.caf0.2bd7, irq 9

2: Ext: GigabitEthernet0/2 : address is 001f.caf0.2bd8, irq 9

3: Ext: GigabitEthernet0/3 : address is 001f.caf0.2bd9, irq 9

4: Ext: Management0/0 : address is 001f.caf0.2bd5, irq 11

5: Int: Not used : irq 11

6: Int: Not used : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 150

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 750

WebVPN Peers : 2

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

Advanced Endpoint Assessment : Disabled

UC Proxy Sessions : 2

This platform has an ASA 5520 VPN Plus license.

Serial Number: xxxx

Running Activation Key: xxxx

Configuration register is 0x1

Configuration last modified by enable_15 at 11:10:18.994 EDT Sat Sep 6 2008

We have opened a support ticket early this week, but the engineer assigned to us didn't help us, she said she'd call us for three times, then she said she's busy, sent email apologies and asked if I still need help. Of course, she didn't reply to our emails in the weekend too. Now we need to have this VPN setup for some support guys to access to the network in the weekend (some conflict ARP issues). I wish some experts here can help us before open another support ticket.

Thanks in advance!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tzhang888 Sat, 09/06/2008 - 08:43

Thanks. That's a bummer. Multiple contexts have to be used for Active-Active failover. We were told under mutiple context mode and Active-Active failover, we cannot configure VPN cluster load balance, but didn't know cannot use IPSEC and configure VPN at all. If we cannot use VPN on ASA, Active-Active configuration is useless, well, will switch to Active-Standby like our old Pix.

JORGE RODRIGUEZ Sat, 09/06/2008 - 09:04

you can do routed mode active/standby with stateful failover for no disruption of vpn.

Do you mind I ask , why do you need context? I can understand one huge benefit by departmentalize with virtual firewalls for different customers or internal security departments then yest active/active is put im place for context.. but if this is not your primary requirement , statefull failover in routed mode is benefitial for continous critical traffic if one fw fails.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#statef

tzhang888 Sat, 09/06/2008 - 09:10

Yes, has to be in routed mode under active/active too. We don't want to use multiple contexts. But the Active-Active Failover configuration needs (converts) ASA from single context mode to multiple context mode.

Actions

This Discussion