Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
928
Views
0
Helpful
3
Replies

how to enable ISAKMP outside redundant interface ?

Go to solution
cmclan2121
Level 1
Level 1

‎07-15-2010 07:20 AM

I'm in early stage of configuring a ASA-5520 box for remote VPN access w/ IPSec. I'm trying to enable ISAKMP on the "outside" interface (with vlan).

The outside interface would be the sub-interface 802.1Q for a redundant interface.

                   | === Gi0/0 === < --- > Switch #1

                   |           |

ASA-5520 ==           | +++ Redundant1 +++  Redundant1.251 (vlan251 outside)

                   |           |

                   | === Gi0/2 === < --- > Switch #2

Cisco Adaptive Security Appliance Software Version 8.3(1)4
Device Manager Version 6.3(1)

The command wouldn't succed since the interface does not have a "nameif" (as suggested by cisco.com). If I do set a "nameif" then the redundant interface will pass untagged packets.

The command is "crypto isakmp enable interface-name"

It would be: crypto isakmp enable Redundant1.251 but

Here is my run conf:

interface GigabitEthernet0/0
description Switch_#1
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
description *** not used ***
duplex full
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description Switch_#2
duplex full 
no nameif   
no security-level
no ip address
!            
interface GigabitEthernet0/3
description *** not used ***
duplex full 
shutdown    
no nameif   
no security-level
no ip address

!

interface Management0/0
description mgt-vlan
nameif inside
security-level 100
ip address 172.19.24.66 255.255.254.0
management-only
!
interface Redundant1
description Switch_#1_#2
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface Redundant1.251
description vlan251
vlan 251
no nameif
security-level 100
ip address "outside_ip" 255.255.255.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-21-2010 07:55 AM

In this case, you would need to configure the "nameif" command within the subinterface of the redundant interface.


Example:

interface Redundant1.251

     nameif outside

Then, on the crypto isakmp command, you would be able to refer to the above "outside" interface configured via the nameif command:

crypto isakmp enable outside

Hope that helps.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-21-2010 07:55 AM

In this case, you would need to configure the "nameif" command within the subinterface of the redundant interface.


Example:

interface Redundant1.251

     nameif outside

Then, on the crypto isakmp command, you would be able to refer to the above "outside" interface configured via the nameif command:

crypto isakmp enable outside

Hope that helps.

0 Helpful

Go to solution
cmclan2121
Level 1
Level 1
In response to Jennifer Halim

‎07-21-2010 08:00 AM

Great ... but again, I read in some configuration guide "not to assign nameif" to a subint. I will try it.

Thanks

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to cmclan2121

‎07-21-2010 08:10 AM

No, you shouldn't configure the nameif command on the physical interface if you have subinterfaces under that particular physical interface purely because that trunk interface would not be tagged, hence it is not recommended to configure any interface settings under the physical trunk interface.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents