Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2267
Views
0
Helpful
2
Replies

ASA 5510 support ipsec site to site vpn by domain name way ?

Go to solution
wangyilunwww
Level 1
Level 1

‎08-01-2013 02:18 AM - edited ‎03-11-2019 07:19 PM

dear  helper, 

         my issue :

        our side  device is  Cisco asa 5510 SEC-BUN-K9 with a static ip , and the other side device is cisco RV180

vpn router without  static IP (dial-up),

now  we plan to establish  IPSEC site to site vpn  between two sites. 

        I have confirmed that RV180 support establishing  IPSEC site to site vpn with  domain name method  , However,

I'm not sure whether ASA 5510 also has this feature (means establish IPSEC site to site vpn with  domain name

method).

      

        I would be very appreciated to all for the experience sharing

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎08-05-2013 12:33 AM

The ASA can support this.  You just need configure a dynamic crypto map on the ASA.  Just remember that the dynamic crypto map should have the highest sequence number within the crypto map.  This is to be sure that the more specific maps are matched first.  (I have left out the NAT Exempt statement in the config below)

crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2

tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key

access-list CRYPTO-MAP permit ip 172.16.1.0 255.255.255.0 10.1.100.0 255.255.255.0

crypto ipsec transform-set MY-SET esp-aes esp-sha-hmac
crypto dynamic-map MY-DYNAMIC-MAP 10 set transform-set MY-SET
crypto map outside 100 ipsec-isakmp dynamic MY-DYNAMIC-MAP

crypto map outside 100 match address CRYPTO-MAP
crypto map outside interface outside

crypto isakmp enable outside

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marius Gunnerud
VIP
VIP

‎08-05-2013 12:33 AM

The ASA can support this.  You just need configure a dynamic crypto map on the ASA.  Just remember that the dynamic crypto map should have the highest sequence number within the crypto map.  This is to be sure that the more specific maps are matched first.  (I have left out the NAT Exempt statement in the config below)

crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2

tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key

access-list CRYPTO-MAP permit ip 172.16.1.0 255.255.255.0 10.1.100.0 255.255.255.0

crypto ipsec transform-set MY-SET esp-aes esp-sha-hmac
crypto dynamic-map MY-DYNAMIC-MAP 10 set transform-set MY-SET
crypto map outside 100 ipsec-isakmp dynamic MY-DYNAMIC-MAP

crypto map outside 100 match address CRYPTO-MAP
crypto map outside interface outside

crypto isakmp enable outside

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
wangyilunwww
Level 1
Level 1
In response to Marius Gunnerud

‎08-10-2013 01:19 AM

  hi Marius,

        thank you very much for your help ,i will  act  to do it . 

   best regards

  wang yi lun

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card