Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
0
Helpful
2
Replies

Dynamic Site to Site Tunnel

rmwhite59
Level 1
Level 1

‎06-26-2008 06:22 AM - edited ‎03-11-2019 06:05 AM

What would need to be changed for this to be dynamic?

access-list 100 extended permit ip 172.25.2.0 255.255.255.0 10.100.2.0 255.255.255.0

access-list nonat extended permit ip 172.25.2.0 255.255.255.0 10.100.2.0 255.255.255.0

nat (inside) 0 access-list nonat

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map outside_map 20 match address 100

crypto map outside_map 20 set peer xx.xxx.xxx.101

crypto map outside_map 20 set transform-set myset

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group xx.xxx.xxx.101 type ipsec-l2l

tunnel-group xx.xxx.xxx.101 ipsec-attributes

pre-shared-key ciscorules

Labels:
0 Helpful
2 Replies 2

rmwhite59
Level 1
Level 1

‎06-26-2008 07:30 AM

Clarification:

ASA has a static IP

PIX has a dynamic IP

I need to create a site to site tunnel between them

0 Helpful

acomiskey
Level 10
Level 10
In response to rmwhite59

‎06-26-2008 07:45 AM

On the ASA, use the DefaultL2LGroup, don't create a tunnel group with ip address of the pix, as it will change.

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

and...

access-list 100 extended permit ip 172.25.2.0 255.255.255.0 10.100.2.0 255.255.255.0

crypto dynamic-map dyn_map 10 match address 100

crypto dynamic-map dyn_map 10 set pfs

crypto dynamic-map dyn_map 10 set transform-set myset

crypto map outside_map 20 ipsec-isakmp dynamic dyn_map

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card