Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

how to enable ISAKMP outside redundant interface ?

I'm in early stage of configuring a ASA-5520 box for remote VPN access w/ IPSec. I'm trying to enable ISAKMP on the "outside" interface (with vlan).

The outside interface would be the sub-interface 802.1Q for a redundant interface.

                   | === Gi0/0 === < --- > Switch #1

                   |           |

ASA-5520 ==           | +++ Redundant1 +++  Redundant1.251 (vlan251 outside)

                   |           |

                   | === Gi0/2 === < --- > Switch #2

Cisco Adaptive Security Appliance Software Version 8.3(1)4
Device Manager Version 6.3(1)

The command wouldn't succed since the interface does not have a "nameif" (as suggested by cisco.com). If I do set a "nameif" then the redundant interface will pass untagged packets.

The command is "crypto isakmp enable interface-name"

It would be: crypto isakmp enable Redundant1.251 but

Here is my run conf:

interface GigabitEthernet0/0
description Switch_#1
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
description *** not used ***
duplex full
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description Switch_#2
duplex full 
no nameif   
no security-level
no ip address
!            
interface GigabitEthernet0/3
description *** not used ***
duplex full 
shutdown    
no nameif   
no security-level
no ip address

!

interface Management0/0
description mgt-vlan
nameif inside
security-level 100
ip address 172.19.24.66 255.255.254.0
management-only
!
interface Redundant1
description Switch_#1_#2
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface Redundant1.251
description vlan251
vlan 251
no nameif
security-level 100
ip address "outside_ip" 255.255.255.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: how to enable ISAKMP outside redundant interface ?

In this case, you would need to configure the "nameif" command within the subinterface of the redundant interface.


Example:

interface Redundant1.251

     nameif outside

Then, on the crypto isakmp command, you would be able to refer to the above "outside" interface configured via the nameif command:

crypto isakmp enable outside

Hope that helps.

3 REPLIES
Cisco Employee

Re: how to enable ISAKMP outside redundant interface ?

In this case, you would need to configure the "nameif" command within the subinterface of the redundant interface.


Example:

interface Redundant1.251

     nameif outside

Then, on the crypto isakmp command, you would be able to refer to the above "outside" interface configured via the nameif command:

crypto isakmp enable outside

Hope that helps.

New Member

Re: how to enable ISAKMP outside redundant interface ?

Great ... but again, I read in some configuration guide "not to assign nameif" to a subint. I will try it.

Thanks

Cisco Employee

Re: how to enable ISAKMP outside redundant interface ?

No, you shouldn't configure the nameif command on the physical interface if you have subinterfaces under that particular physical interface purely because that trunk interface would not be tagged, hence it is not recommended to configure any interface settings under the physical trunk interface.

390
Views
0
Helpful
3
Replies