×
all 3 comments

[–]Man-i-fest 0 points1 point  (1 child)

this is scary and confusing. This is beyond the CCNA right? Or have I missed something along the road? I did notice that in one named ACL you used a wildcard mask and then in another you used the subnet mask. I thought it was purely wildcard mask.

[–]the-packet-throwerMeow 🐈🐈Meow 🐱🐱 Meow Meow🍺🐈🐱Meow A+![S] 0 points1 point  (0 children)

It is more CCNA Security territory, and probably beyond that in the VTI section.

The ASA doesn't use wildcard masks but the router does.

[–]RedditRicky 0 points1 point  (0 children)

I am currently doing a similar setup between a ASA and a Palo Alto so this is really helpful. I am not using BGP, but static routes instead. Would I be correct in saying I only need to add a route for my neighbor's inside subnet and not the tunnel? For example, on the ASA02 I would add:

route Tunnel12 192.168.10.0 255.255.255.0 10.1.12.1

I also noticed that as soon as I named the tunnel, I received an error regarding my priority queue. Does this mean I cannot use a LLQ on VTIs?

ASA(config-if)# nameif TUNNEL12
ERROR: Class VOICE has 'priority' set without 'priority-queue' in any interface
ASA(config-if)# tunnel protection ipsec profile VTI