Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
529
Views
0
Helpful
3
Replies

Dynamic L2L between ASA 5505

saschafuellgrabe
Level 1
Level 1

‎02-13-2014 04:28 AM

Hello,

we're realizing a project with 5x ASA 5505 Base License and one 5512-X in a computing center. The 5 branches shall be work as dynamic sites, because they are all running on dynamic internet connection. I read, that on the main site (ASA 5512-X) the access from dynamic IPs must be permit, so that a IKE-Exchange and the IPsec tunnel can be established.

We all are new to Cisco ASA devices. I read a lot in "Cisco ASA configuration" written by Richard A. Deal and "Cisco ASA: All-in-one firewall.." written by Frahim & Santos. Everywhere only static L2L tunnels are discussed, but dyn. L2L scripts are missing.

I've done all the config with ASDM, but have read many CLI configurations also.

I got different failures in ASDM syslog, depending on which mode I choose.

I paste the conf. of both ASA 5505 (for test-tunnel). Later 5505 and 5512-X will be connected.

One comes with dynamic cryptomap and the other with static.

I will be grateful if someone could figured out what's the problem.

Greets,

Sascha

Config is attached.

Labels:
15375747-CLI_asa5505_1.txt.zip
15375746-CLI_asa5505_2.txt.zip
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎02-13-2014 04:45 AM

Hi,

Here is one good document giving example of a configuration where you have a central site with Static public IP address and all the remote sites have Dynamic IP address from which they connect.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113573-sol-tunnels-groups.html

- Jouni

0 Helpful

saschafuellgrabe
Level 1
Level 1
In response to Jouni Forss

‎02-13-2014 06:34 AM

Hi JouniForss,

thanks for you're early reply.

I know this tutorial yet. I've tried it one time, but didn't work out. Maybe I made a mistake. I'll try it again.

When I configure dynamic tunnels, ADSM / CLI output says something like "dynamic l2l tunnels will fail if no cert. will be used and/or agressive mode is not used on peer". Sry, I don't got the message with me a.t.m.

1) Which mode do I have to use for tunnel build-up process? AM or MM? Do I really need to use AM?

Furthermore I'd rather prefer to use IKEv2, because tunnel build-up process shall work less fault-prone than IKEv1.
2) Is it the same procedure as IKEv1 or do I have to consider some special points?

EDIT:

3) What's about naming the tunnel-profiles / tunnel-groups? Is it necessary to match the tunnel-profile name? Does it has a consequence when writing the connection name in addition to the peer IP in connection profile on dynamic site?

0 Helpful

saschafuellgrabe
Level 1
Level 1

‎02-15-2014 03:56 AM

Anyone other who can answer me these few questions?

0 Helpful
Customers Also Viewed These Support Documents