cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
335
Views
0
Helpful
1
Replies

VPN on 520 to 5520 asa conversion

bkootstra
Level 1
Level 1

Currently we VPN from our Cisco 520 to a contractors Cisco 520 with no problem. We are moving to a 5520 ASA device and I copied our configuration from the 520 to the new 5520 ASA. I understand that a straight copy from the 520 to the 5520 ASA would be possible. When I plugged in the new device I could not VPN to the contractors 520 using the same code that worked on our 520. Any suggestions on what to look for moving from the 510 to the 5520 for VPN?

1 Reply 1

gfullage
Cisco Employee
Cisco Employee

There was a lot of CLI changes from 6.x to the 7.0 code that the ASA runs. Normally when you upgrade from 6.x to 7.0 the upgrade process takes care of doing the config conversion for you, but in your case of cut/pasting the config in that won't work. I'm assuming you aredescribing a LAN-to-LAN tunnel here, so the main change you'll need in the ASA config is to add a tunnel-group for that peer, and define the pre-shared key under there.

A sample v6.x LAN-to-LAN config looks like this:

sysopt connection permit-ipsec

crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer 172.22.112.12

crypto map transam 1 set transform-set chevelle

crypto map transam interface outside

isakmp enable outside

isakmp key address 172.22.112.12 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

The corresponding v7 config would look like this (note the "isakmp key ...." command has been replaced with a tunnel-group):

crypto ipsec transform-set chevelle esp-des esp-md5-hmac

crypto map transam 1 match address 101

crypto map transam 1 set peer 172.22.112.12

crypto map transam 1 set transform-set chevelle

crypto map transam interface outside

isakmp enable outside

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

tunnel-group 172.22.112.12 type ipsec-l2l

tunnel-group 172.22.112.12 ipsec-attributes

  pre-shared-key

See http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/site2sit.htm for details.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: