how to enable ISAKMP outside redundant interface ?

Answered Question
Jul 15th, 2010

I'm in early stage of configuring a ASA-5520 box for remote VPN access w/ IPSec. I'm trying to enable ISAKMP on the "outside" interface (with vlan).

The outside interface would be the sub-interface 802.1Q for a redundant interface.

                   | === Gi0/0 === < --- > Switch #1

                   |           |

ASA-5520 ==           | +++ Redundant1 +++  Redundant1.251 (vlan251 outside)

                   |           |

                   | === Gi0/2 === < --- > Switch #2

Cisco Adaptive Security Appliance Software Version 8.3(1)4
Device Manager Version 6.3(1)

The command wouldn't succed since the interface does not have a "nameif" (as suggested by cisco.com). If I do set a "nameif" then the redundant interface will pass untagged packets.

The command is "crypto isakmp enable interface-name"

It would be: crypto isakmp enable Redundant1.251 but

Here is my run conf:

interface GigabitEthernet0/0
description Switch_#1
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
description *** not used ***
duplex full
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description Switch_#2
duplex full 
no nameif   
no security-level
no ip address
!            
interface GigabitEthernet0/3
description *** not used ***
duplex full 
shutdown    
no nameif   
no security-level
no ip address

!

interface Management0/0
description mgt-vlan
nameif inside
security-level 100
ip address 172.19.24.66 255.255.254.0
management-only
!
interface Redundant1
description Switch_#1_#2
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface Redundant1.251
description vlan251
vlan 251
no nameif
security-level 100
ip address "outside_ip" 255.255.255.

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 4 months ago

In this case, you would need to configure the "nameif" command within the subinterface of the redundant interface.


Example:

interface Redundant1.251

     nameif outside

Then, on the crypto isakmp command, you would be able to refer to the above "outside" interface configured via the nameif command:

crypto isakmp enable outside

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Wed, 07/21/2010 - 07:55

In this case, you would need to configure the "nameif" command within the subinterface of the redundant interface.


Example:

interface Redundant1.251

     nameif outside

Then, on the crypto isakmp command, you would be able to refer to the above "outside" interface configured via the nameif command:

crypto isakmp enable outside

Hope that helps.

cmclan2121 Wed, 07/21/2010 - 08:00

Great ... but again, I read in some configuration guide "not to assign nameif" to a subint. I will try it.

Thanks

Jennifer Halim Wed, 07/21/2010 - 08:10

No, you shouldn't configure the nameif command on the physical interface if you have subinterfaces under that particular physical interface purely because that trunk interface would not be tagged, hence it is not recommended to configure any interface settings under the physical trunk interface.

Actions

This Discussion