Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1237
Views
0
Helpful
0
Replies

Dynamic IP to Static IP IPSEC VPN Tunnel

Raul18629
Level 1
Level 1

‎11-07-2017 11:38 AM - edited ‎02-21-2020 06:40 AM

I have been trying to establish a vpn ipsec between two ASAs, one of them with ISP that provides public ip, and the other with fixed IP. I did the configuration of each one of them and I can see that the VPN is established through the show crypto isakmp sa command, but nevertheless when applying the show crypto ipsec sa command, I can see that the packets are not returned through the tunnel. it does not allow the connection between the nated networks to be established. 

 

Configuration ASA IP Dynamic

 

access-list Backup_cryptomap_2 extended permit ip object HierroC_Valencia object-group Redes_Remota

 

nat (inside,Backup) source static HierroC_Valencia HierroC_Valencia destination static Redes_Remota Redes_Remota no-proxy-arp route-lookup

 

 

crypto ipsec ikev1 transform-set Crypto_HierroC_Valencia esp-3des esp-sha-hmac

crypto map Backup_map 2 match address Backup_cryptomap_2
crypto map Backup_map 2 set peer 200.35.79.163
crypto map Backup_map 2 set ikev1 transform-set Crypto_HierroC_Valencia
crypto map Backup_map interface Backup
crypto ca trustpool policy


crypto ikev1 enable outside
crypto ikev1 enable Backup
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400


group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy


tunnel-group 200.35.79.163 type ipsec-l2l
tunnel-group 200.35.79.163 general-attributes
default-group-policy GroupPolicy1
tunnel-group 200.35.79.163 ipsec-attributes
ikev1 pre-shared-key *****

 

 

 

Configuration ASA Vpn IP Static


nat (inside,outside) source static Redes_Sede_Principal_y_Remota Redes_Sede_Principal_y_Remota destination static Hierro_CValencia Hierro_CValencia no-proxy-arp route-lookup

crypto ipsec ikev1 transform-set Prueba esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 1 set ikev1 transform-set Prueba
crypto dynamic-map outside_dyn_map 1 set reverse-route


crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpool policy


crypto ikev1 policy 8
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400


tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card