01-22-2009 11:45 AM - edited 02-21-2020 03:14 AM
Hey guys,
we have ASA 5540 at our main office and we established a site to site vpn with several small offices( small offices have pix 506 and asa 5505) at different places which are connected through cable modems and cable modems pull dynamic ips from cmts.On few of the firewalls at office we assigned a static because when ever cable modem pulls a new ip... we need to change the ip on main ASA 5540 in our office to bring the tunnel up . Is there any other way through which ASA learns the ip by itself and we dont need to manually change the IP on the ASA.
Thank you so much in advance
Kindly help me through this
01-22-2009 11:54 AM
Have you try dynamic to static L2Ls, dynamic side will always have to be the initiator.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
Regards
01-23-2009 07:12 AM
Thank you so much for the doc.
We already have configs in place for both the firewalls ,, i noticed this .isakmp key ******** address 0.0.0.0 netmask 0.0.0.0...
would thiis all we need
If you can help me how to do it ,,,with commands tht wld be gr8 ,, thnx a lot
01-24-2009 07:24 PM
Davi, Im sorry I did not see your second reply..
For the PIXs meaning the remote sites that have dynamic DHCP in their outside interfaces you need to configure them as regular L2L and specify the Peer address which is the HQ ASA applience that do have static for the outside interface.
Assume HQ ASA oustide interface is 20.20.20.1
for the pix side would be something similar to :
isakmp key <******> address 20.20.20.1 netmask 255.255.255.255 no-xauth no-config-mode
For the HQ side the crypto map type would be dynamic-map as seen in the example link for LION HQ firewall that is the static side, and the pre-share key you can use the default tunnel group the asa already have DefaultL2LGroup that pre-share key will be used for remote sites to authenticate
the tunnel, PLS try attempting to configure it, pay also attention to the nat exempt access-list 100 seen in the example to permit source and destination networks and apply the access list in nat statement
nat (inside) 0 access-list 100 , and make sure transform sets are identical at both ends . Again make an attempt to configure the tunnel with your first remote site and have that remote side initiate traffic to bring up the tunnel, if tunnel does not come up come back to help you out.
I quote from the link above .
This would be the HQ side for dynamic settings
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
01-26-2009 05:52 AM
Thank you so much for your help sir.
Will configure it the way u suggested.
Much appreciated. Than a lot again
01-26-2009 10:09 AM
No problem, PLS let me know the progress, I would suggest starting with the PIX506 site first which will be mush easy. When the PIX side initiate the tunnel and there is not connection issue at remote site PIX or HQ site ASA show crypto isakmp sa, if you see QM_IDLE tunnel would be up but if source hosts cannot connect to dest hosts in HQ we will take a look at the nonat access-lists at both ends.
example:
PIX506LAB#show crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
63.x.x.x 68.x.x.xx QM_IDLE 0 1
PIX506ELAB#
Regards
01-26-2009 11:35 AM
Thank you so much for your help.
Our managers want us to test this with the equipment we have and show them the results first before we put this into the production network.
will keep you updated.
Would the tunnel come up by itself even after the pix at office pulls another Ip or after it pulls another ip do we have to clear ipsec and isakmp sessions to bring tunnel up ?
Thank youy so much again for your time and patience
01-26-2009 12:31 PM
Would the tunnel come up by itself even after the pix at office pulls another Ip or after it pulls another ip do we have to clear ipsec and isakmp sessions to bring tunnel up ?
If this would happen on the PIX side then you need to send interesting traffic from the remote side to bring up the tunnel backup , interesting traffic could be a PING or RDP that generates traffic that will go through the tunnel, remember the HQ is dynamic and will accept the connection on a new IP from the DHCP side as long secret keys or any other config pertaining to the IPsec policy is NOT changed at either end.
Usually on the dynamic DHCP side may pick a new IP if pix is rebooted or the lease time the ISP provider has it set for certain time/dates. If Im not mistaken DHCP leases last quite a while but all depends on ISPs.
keep us posted and pleasure to help.
Regards
01-26-2009 02:04 PM
Will do that
Thnx a lot sir
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide