Showing results for 
Search instead for 
Did you mean: 

ASA VTI Tunnel from dynamic remote address

Can I configure a VTI tunnel (the new routing type) so the destination can come from a dynamic address (i.e. where the remote device, in my case a router, has a DHCP assigned address)? 


I have tried various ways so far without success.  I can get a configuration to work so long as I use a static destination address and associated TUNNEL-GROUP name.


Is there an example config anywhere posted? 

Everyone's tags (3)

Re: ASA VTI Tunnel from dynamic remote address

To elaborate slightly: By using aggressive mode I can get the ASA to use a tunnel-group which has a name, not an IP, but I cannot figure out how to get rid of the destination in the tunnel definition, e.g. 


interface Tunnel36
 nameif vti36
 ip address 
 tunnel source interface outside
 tunnel destination
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTIPROFILE

That is my problem, I can't find any syntax on the ASA side that can get rid of it and still have a VTI Tunnel Interface (which I want to use with EIGRP via BGP redistribution). 

Re: ASA VTI Tunnel from dynamic remote address

Just for grins, I asked our partner for pre-sale help (since this is for a planned project), and was told that whether or not VTI on ASA can support a tunnel destination that is DHCP assigned is a post-sale, TAC question.


So ... buy it, and we'll tell you then if it works or not.


We're moving forward with a small router to terminate these tunnels on, at least I know that works. And nicely it supports EIGRP, so no need for BGP redistribution.

CreatePlease to create content
Ask the Expert- MPLS troubleshooting