Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1171
Views
0
Helpful
3
Replies

Cisco ASA Point to Point VPN

dbuckley77
Level 1
Level 1

‎12-04-2018 06:07 AM - edited ‎03-03-2019 08:57 AM

I setup a Cisco ASA vpn tunnel a while back with a PA firewall on the other end where the ASA was behind a comcast modem that had a block of 5 public static IPs so the Comcast modem had one fromthe block and I was able to use another fromthe block for the outside interface on the ASA.  I am setting another VPN tunnel up but the ASA at this site is behind a Comcast modem with only a single DHCP IP so what do I use for the IP on the outside int of the ASA?

Labels:
0 Helpful
3 Replies 3

Julio E. Moisa
VIP
VIP

‎12-04-2018 06:35 AM

Hi

On Cisco firewalls you can use dynamic maps, not sure if you can use it in other solutions (vendors) but if your ASA is receiving a random IP from a modem you should configure the VPN as normal pointing to the IP of remote peer into the crypto map. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

dbuckley77
Level 1
Level 1
In response to Julio E. Moisa

‎12-04-2018 06:38 AM

I'm sorry but that did not help.  Are you saying I should set the outside interface on the ASA to DHCP so it will pull an IP from the Comcast modem and then just point the tunnel to the public IP of the peer at the other end of the tunnel?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to dbuckley77

‎12-05-2018 10:25 AM

If I am understanding your posts correctly you have an existing site to site vpn between your ASA and a remote non Cisco device where both your ASA and the remote peer have static public IP addresses. Now you want to being up another site to site vpn but for the new vpn the remote peer ASA does not have a static public IP address and is learning a private IP using DHCP. Is this understanding correct? This implementation where one peer is static addressing while the other peer is dynamic addressing is quite possible. 

 

The configuration of the new remote ASA is pretty straightforward. It will have a normal crypto configuration with a normal crypto map and it will identify the public IP of your ASA as its peer. The authentication, the transform set, the tunnel group and address translation would all be configured as usual for site to site vpn. Where things get different is in the configuration of your ASA. Since the remote address will be dynamic your ASA does not know what IP address will be used by the remote peer. So in configuring authentication you can not specify the remote address and must configure your ASA to negotiate authentication with any device that sends a request. And you can not have a usual crypto map entry because you do not know the address of the remote peer. So you will configure a dynamic crypto map entry.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents