4 Replies Latest reply: Dec 27, 2012 4:01 PM by Paul Stewart - CCIE Security RSS

    Disabling Aggressive Mode on Cisco ASA 5505

    argoldsmith

      Hello All,

       

      I'm new to the Cisco ASA firewalls and need a little help with disabling aggressive mode. We currently have a site-to-site VPN setup w/ two ASA 5505s on each side and also use anyconnect for remote users to connect back to the office. When I do a "sh run" on one of the ASAs here's what I found in part of the config:

       

      crypto isakmp policy 1

      authentication pre-share

      encryption 3des

      hash sha

      group 2

      lifetime 86400

      crypto isakmp policy 5

      authentication pre-share

      encryption aes

      hash sha

      group 2

      lifetime 86400

      crypto isakmp policy 30

      authentication pre-share

      encryption aes-192

      hash sha

      group 5

      lifetime 86400

       

      I've read that crypto isakmp am-disable will disable aggressive mode and force main mode to be used, however, I'm not sure if doing this on both ASAs will "break" the site-to-site VPN connection. If so, what other configuration steps need to be taken for use of main mode only?

       

      Thanks,

       

      Adam G.