Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VLAN on ASA 5520

Good afternoon guys,

I'd like to do a vlan with 2 interfaces and just one IP, can I do it?

10 REPLIES
Hall of Fame Super Blue

Re: VLAN on ASA 5520

Denis

Could you give a few more details.

You can use transparent mode where you have 2 vlans with one IP but by the sounds of it this is not what you want.

Are you asking if the ASA can support IRB (Intergrated Routing/Bridging) where 2 interfaces on your ASA are in the same vlan and share an IP address ?

Jon

New Member

Re: VLAN on ASA 5520

Yes Jon, something like IRB

Hall of Fame Super Blue

Re: VLAN on ASA 5520

Denis

I'm not aware of the ASA supporting the likes of IRB but then i have never found the need to configure it so i'm not 100% certain on that. I have had a quick look at the configuration docs and couldn't find anything other than transparent mode which is slightly different ie. you bridge together 2 vlans.

Unfortunately i don't have access to an ASA to test but i don't think this is supported.

Jon

New Member

Re: VLAN on ASA 5520

Well, I need to link 2 computers into the ASA using necessarily 2 ASA's interfaces.

and I need to put the same IP address on both interfaces, because the computers have the same configuration

Anybody?

New Member

Re: VLAN on ASA 5520

I need to do a vpn between two ASA 5520 with the basic IOS, can I do it?

Re: VLAN on ASA 5520

Hi Denis,

In response to your second question: yes, you can configure a basic VPN tunnel between two ASA's. Take a look at the following link for more details and configuration examples:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ike.html

Hope that helps.

-Mike

New Member

Re: VLAN on ASA 5520

Mike,

Do you have a configuration for me to do a vpn between 2 ASA 5520?

I tried use some commands from the guide that u sent to me , but without sucess

New Member

Re: VLAN on ASA 5520

Anybody has a configuration for me to do a vpn between 2 ASA 5520?

I tried use some commands from the guide isakmp/ipsec , but without sucess

And a solution to a backup route, I found the command "track" on the internet, but didnt work on 5520

thanks

New Member

Re: VLAN on ASA 5520

Here is the vpn configuration and the results

crypto isakmp policy 10 hash md5

crypto isakmp policy 10 authentication pre-share

crypto isakmp enable outside

crypto map mymap 10 match address 100

access-list 100 permit ip 172.16.3.0 255.255.255.0 172.16.1.0 255.255.255.0

crypto ipsec transform-set myset esp-des esp-hd5-hmac

crypto map mymap 10 set peer 10.22.12.22

crypto map mymap 10 set transform-set myset

crypto map mymap interface outside

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 10.12.28.5

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG4

Re: VLAN on ASA 5520

Hi Dennis,

Can you post the configurations on both sides of tunnel? Many of the settings much match. Here is an example that should at least bring the tunnel up:

ASA1:

crypto isakmp policy 10 hash md5

crypto isakmp policy 10 authentication pre-share

crypto isakmp policy 10 encryption des

crypto isakmp policy 10 group 2

crypto isakmp policy 10 lifetime 86400

crypto isakmp enable outside

crypto map mymap 10 match address 100

access-list 100 permit ip 172.16.3.0 255.255.255.0 172.16.1.0 255.255.255.0

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map mymap 10 set peer 10.22.12.22

crypto map mymap 10 set transform-set myset

crypto map mymap 10 set pfs

crypto map mymap interface outside

ASA2:

crypto isakmp policy 10 hash md5

crypto isakmp policy 10 authentication pre-share

crypto isakmp policy 10 encryption des

crypto isakmp policy 10 group 2

crypto isakmp policy 10 lifetime 86400

crypto isakmp enable outside

crypto map mymap 10 match address 100

access-list 100 permit ip 172.16.1.0 255.255.255.0 172.16.3.0 255.255.255.0

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map mymap 10 set peer 10.22.12.21

crypto map mymap 10 set transform-set myset

crypto map mymap 10 set pfs

crypto map mymap interface outside

As I mentioned, if you are still having trouble, please post your existing configs that exist on each side of the tunnel.

Hope that helps.

-Mike

497
Views
0
Helpful
10
Replies