[c-nsp] terminating many l2l tunnels on an ASA

Ryan ryanclambert at gmail.com
Fri Sep 19 23:27:10 EDT 2008


Yep -- it was a two in one, really.

Maybe with a configuration as involved as 150 tunnels and 1000+ lines of
text, it's just not feasible to use the CLI without going insane. I've used
ASDM a few times and I really just didn't get into it. I suppose it could
just be my lack of experience in the GUI, and personal bias toward the CLI
in general -- I find it faster to work with in almost all situations.

Also, if there is any clever solution, I'd love to hear a way to actually
drop this configuration down to something less bloated since the sites are
almost identical, albeit not on Cisco hardware.

-Ryan

-----Original Message-----
From: Christian Koch [mailto:christian at broknrobot.com] 
Sent: Friday, September 19, 2008 8:54 PM
To: Alex Balashov; Ryan; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] terminating many l2l tunnels on an ASA

I don't believe that is what he is asking..

The way I interperted his question was If there is a way to
consolidate his configuration...

Something like using peer-groups and peer-templates with BGP to group
identical-configuration-items...

If so, I don't know of anyway to do so..but if there is one, would love to
know

Christian




On 9/19/08, Alex Balashov <abalashov at evaristesys.com> wrote:
> Well, the ASAs do have a nice Java GUI with a high level of
> sophistication similar to the PIX's and VPN Concentrators.  That can
> definitely help cut down on management clutter, and is the easier way to
> manage an ASA anyhow, seeing as its config format is just as abstruse
> and different from everything IOS as PIX.
>
> Ryan wrote:
>
>> Hey everyone, question for those of you who may have already suffered
this
>> unfortunate fate -
>>
>>
>>
>> Background:
>>
>>
>>
>> I have about 150 site to site VPN tunnels I need to terminate for an ASA.
>> Zero (yes, zero) of the remote end devices are Cisco. I do not have any
>> control over these devices. Everything is the same except for the remote
>> subnets, and obviously the peer IPs. Encryption, PSK, etc. all matching.
>>
>>
>>
>> One of the requirements is that the tunnel is able to be brought up by
>> generating traffic from my side (kind of shoots down a dynamic L2L I
>> -think-)
>>
>>
>>
>> I am using a Cisco ASA 5520 with a VPN Plus license. I don't have the
>> option
>> of purchasing anything else to help with this.
>>
>>
>>
>> The actual question:
>>
>>
>>
>> Does anyone know of a decent way to bring these up without cluttering my
>> config with 1000+ lines of ACL, tunnel-group config, etc?
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> --
> Alex Balashov
> Evariste Systems
> Web    : http://www.evaristesys.com/
> Tel    : (+1) (678) 954-0670
> Direct : (+1) (678) 954-0671
> Mobile : (+1) (706) 338-8599
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

-- 
Sent from my mobile device



More information about the cisco-nsp mailing list