Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA5550 Crypto isakmp key ********** address 0.0.0.0 0.0.0.0

Migrating from 7206VXR to ASA5550.

The following crypto statement works on the VXR router but is not accepted by the ASA. It allows me to enter just 0.0.0.0 but then says I can only setup L2L in aggresive mode. Any thoughts on how to allow any address to create a L2L tunnel?

crypto isakmp key **** address 0.0.0.0 0.0.0.0

3 REPLIES

Re: ASA5550 Crypto isakmp key ********** address 0.0.0.0 0.0.0.0

If Im not mistaken crypto isakmp key **** address 0.0.0.0 0.0.0.0 is to allow IOS router to accept dynamic IPsec peer connections in a L2L scenario.

To achive this in ASA you will need to configure Dynamic to static IPsec L2L tunnels between your ASA5550 that has static public IP on outside interface and your peers that are dynamic non-static assigments.

have a look here

L2L between Static ASA/PIX and router Dynamic IP

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

L2L PIX-to-PIX Static and Dynamic

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

Rgds

Jorge

Re: ASA5550 Crypto isakmp key ********** address 0.0.0.0 0.0.0.0

AFAIR, the ASA will give you an warning message. But if you look at 'show run tunnel-group' you will see this key.

In the ASA 7.x code, the old crypto isakmp key is no longer used. Instead keys are entered under the tunnel group >> ipsec attributes.

Regards

Farrukh

Community Member

Re: ASA5550 Crypto isakmp key ********** address 0.0.0.0 0.0.0.0

Thanks Farrukh,

I ended up using a DMVPN config with the tunnel group statements as you mentioned. It worked like a charm however it only works in aggressive mode which ends up failing our PCI compliance. So it looks like I will have to just write up a compensating controls document to account for it. I appreciate the feedback I received.

1134
Views
0
Helpful
3
Replies
CreatePlease to create content