09-06-2008 08:06 AM - edited 03-11-2019 06:40 AM
Hello, we recently bought a pair of ASA5520, we plan to replace our old Pix firewalls. ASA and multiple contexts are new to us.
We've upgraded the firmware to the lastest ASA 8.04, ASDM 6.1(3).
We've configured failovers, the firewall accesses are working fine. We put all config on Admin context. However, when we're trying to configure VPN (client and Site to Site), we are having a problem, we cannot add VPN configuration.
(a) On ASDM configuration, there is no IPSEC VPN or SSL VPN Wizard as mentioned on instructions; Only Wizards avaliable to use are Startup, High Avaliability, and Packet Capture. How to show more Wizards?
(b) On the CLC, it doesn't take isakmp ipsec or crypto ipsec commands. The only commands can use under Crypto command is CA and KEY. I tried to configure the VPN under Contexts or Global configuration, it doesn't take any VPN configuration commands as I would do under Pix.
ASA/admin(config)# isakmp policy 2 encryption des
ERROR: % Invalid input detected at '^' marker.
ASA/admin(config)# crypto ipsec transform-set VPN esp-3des esp-sha-hmac
ERROR: % Invalid input detected at '^' marker.
Is there something we're missing here?
Licensed features for this platform:
Cisco Adaptive Security Appliance Software Version 8.0(4) <context>
Device Manager Version 6.1(3)
Compiled on Thu 07-Aug-08 20:53 by builders
ASA up 22 hours 34 mins
failover cluster up 22 hours 34 mins
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is 001f.caf0.2bd6, irq 9
1: Ext: GigabitEthernet0/1 : address is 001f.caf0.2bd7, irq 9
2: Ext: GigabitEthernet0/2 : address is 001f.caf0.2bd8, irq 9
3: Ext: GigabitEthernet0/3 : address is 001f.caf0.2bd9, irq 9
4: Ext: Management0/0 : address is 001f.caf0.2bd5, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has an ASA 5520 VPN Plus license.
Serial Number: xxxx
Running Activation Key: xxxx
Configuration register is 0x1
Configuration last modified by enable_15 at 11:10:18.994 EDT Sat Sep 6 2008
We have opened a support ticket early this week, but the engineer assigned to us didn't help us, she said she'd call us for three times, then she said she's busy, sent email apologies and asked if I still need help. Of course, she didn't reply to our emails in the weekend too. Now we need to have this VPN setup for some support guys to access to the network in the weekend (some conflict ARP issues). I wish some experts here can help us before open another support ticket.
Thanks in advance!
09-06-2008 08:36 AM
if Im not mistaken you are running context mode, VPN server and/or L2L is not supportted among some other unsuported features under this mode.
seet features not supported under multiple context
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html
09-06-2008 08:43 AM
Thanks. That's a bummer. Multiple contexts have to be used for Active-Active failover. We were told under mutiple context mode and Active-Active failover, we cannot configure VPN cluster load balance, but didn't know cannot use IPSEC and configure VPN at all. If we cannot use VPN on ASA, Active-Active configuration is useless, well, will switch to Active-Standby like our old Pix.
09-06-2008 09:04 AM
you can do routed mode active/standby with stateful failover for no disruption of vpn.
Do you mind I ask , why do you need context? I can understand one huge benefit by departmentalize with virtual firewalls for different customers or internal security departments then yest active/active is put im place for context.. but if this is not your primary requirement , statefull failover in routed mode is benefitial for continous critical traffic if one fw fails.
09-06-2008 09:10 AM
Yes, has to be in routed mode under active/active too. We don't want to use multiple contexts. But the Active-Active Failover configuration needs (converts) ASA from single context mode to multiple context mode.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: