Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Help on Enabling and Configuring VPN on ASA5520 Problem

Hello, we recently bought a pair of ASA5520, we plan to replace our old Pix firewalls. ASA and multiple contexts are new to us.

We've upgraded the firmware to the lastest ASA 8.04, ASDM 6.1(3).

We've configured failovers, the firewall accesses are working fine. We put all config on Admin context. However, when we're trying to configure VPN (client and Site to Site), we are having a problem, we cannot add VPN configuration.

(a) On ASDM configuration, there is no IPSEC VPN or SSL VPN Wizard as mentioned on instructions; Only Wizards avaliable to use are Startup, High Avaliability, and Packet Capture. How to show more Wizards?

(b) On the CLC, it doesn't take isakmp ipsec or crypto ipsec commands. The only commands can use under Crypto command is CA and KEY. I tried to configure the VPN under Contexts or Global configuration, it doesn't take any VPN configuration commands as I would do under Pix.

ASA/admin(config)# isakmp policy 2 encryption des

ERROR: % Invalid input detected at '^' marker.

ASA/admin(config)# crypto ipsec transform-set VPN esp-3des esp-sha-hmac

ERROR: % Invalid input detected at '^' marker.

Is there something we're missing here?

Licensed features for this platform:

Cisco Adaptive Security Appliance Software Version 8.0(4) <context>

Device Manager Version 6.1(3)

Compiled on Thu 07-Aug-08 20:53 by builders

ASA up 22 hours 34 mins

failover cluster up 22 hours 34 mins

Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Ext: GigabitEthernet0/0 : address is 001f.caf0.2bd6, irq 9

1: Ext: GigabitEthernet0/1 : address is 001f.caf0.2bd7, irq 9

2: Ext: GigabitEthernet0/2 : address is 001f.caf0.2bd8, irq 9

3: Ext: GigabitEthernet0/3 : address is 001f.caf0.2bd9, irq 9

4: Ext: Management0/0 : address is 001f.caf0.2bd5, irq 11

5: Int: Not used : irq 11

6: Int: Not used : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 150

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 750

WebVPN Peers : 2

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

Advanced Endpoint Assessment : Disabled

UC Proxy Sessions : 2

This platform has an ASA 5520 VPN Plus license.

Serial Number: xxxx

Running Activation Key: xxxx

Configuration register is 0x1

Configuration last modified by enable_15 at 11:10:18.994 EDT Sat Sep 6 2008

We have opened a support ticket early this week, but the engineer assigned to us didn't help us, she said she'd call us for three times, then she said she's busy, sent email apologies and asked if I still need help. Of course, she didn't reply to our emails in the weekend too. Now we need to have this VPN setup for some support guys to access to the network in the weekend (some conflict ARP issues). I wish some experts here can help us before open another support ticket.

Thanks in advance!

  • Firewalling
4 REPLIES

Re: Help on Enabling and Configuring VPN on ASA5520 Problem

if Im not mistaken you are running context mode, VPN server and/or L2L is not supportted among some other unsuported features under this mode.

seet features not supported under multiple context

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html

New Member

Re: Help on Enabling and Configuring VPN on ASA5520 Problem

Thanks. That's a bummer. Multiple contexts have to be used for Active-Active failover. We were told under mutiple context mode and Active-Active failover, we cannot configure VPN cluster load balance, but didn't know cannot use IPSEC and configure VPN at all. If we cannot use VPN on ASA, Active-Active configuration is useless, well, will switch to Active-Standby like our old Pix.

Re: Help on Enabling and Configuring VPN on ASA5520 Problem

you can do routed mode active/standby with stateful failover for no disruption of vpn.

Do you mind I ask , why do you need context? I can understand one huge benefit by departmentalize with virtual firewalls for different customers or internal security departments then yest active/active is put im place for context.. but if this is not your primary requirement , statefull failover in routed mode is benefitial for continous critical traffic if one fw fails.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#statef

New Member

Re: Help on Enabling and Configuring VPN on ASA5520 Problem

Yes, has to be in routed mode under active/active too. We don't want to use multiple contexts. But the Active-Active Failover configuration needs (converts) ASA from single context mode to multiple context mode.

278
Views
0
Helpful
4
Replies
This widget could not be displayed.