Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5817
Views
0
Helpful
6
Replies

Site to Site VPN between to ASA5505 devices, both with dynamic IP addressess

rm760
Level 4
Level 4

‎12-10-2010 11:43 AM

I have a

friend who is a dentist with two offices.  He has a DSL connection to the ISP at one location and a Cable modem connection to the ISP at the second location.  He purchased two ASA5505 devices and would like to have a VPN tunnel between the two so he can share client files across both locations.

I am looking for direction as to how to accomplish building a VPN tunnel when the IP address of both devices is a changing variable.  I have hear about using Dyndns or other services.  Here are my questions:

1. Is there any one service that works best with the ASA5505 platform?

2. How is the ASA platform configured to interact with a dynamic dns service provider?

3. How is the configuration of the tunnel created?  I am going to assume that the FQDN or part of it would be used instead of the IP address

1 person had this problem
Labels:
0 Helpful
6 Replies 6

adhar
Level 1
Level 1

‎12-13-2010 04:14 PM

Hi

This will work by configuring a routine crypto dynamic map on one side.

The other side can have a static crypto map with "set peer dynamic" command.

Refer to this url for configuring static crypto map,

http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_configuration_example09186a008051a69a.shtml#t2

set peer dynamic command

http://www.cisco.com/en/US/customer/docs/ios/12_3t/secur/command/reference/sec_s1gt.html#wp1205212

Example of static crypto map

http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_configuration_example09186a0080094a87.shtml#router

Thanks

a

0 Helpful

rm760
Level 4
Level 4
In response to adhar

‎12-13-2010 07:36 PM

Can you please ellaborate as to how you see this working on an ASA device.   I read the links you offered and see how its works in a router IOS when one side is statically defined.  In my case both public ends are dynamic on ASA 5505.  I was thinking of using dyndns and FQDN's instead of IP addresses.  Can an ASA5505 update a dyndns server if not I can run the dyndns updater application on a computer at each location.  Also when I try to enter a FQDN instead of an IP address to set the crypto peer it does not accept a name.

Attached are config files from each firewall,

76935-primary asa.txt.zip
0 Helpful

rm760
Level 4
Level 4
In response to adhar

‎12-15-2010 11:04 AM

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsc74898

Here is a link supplied to me by a cisco TAC representative. It states that what I am looking to accomplish is a currently in a feature request and not an available option with any version of ASA firmware available today.

0 Helpful

adhar
Level 1
Level 1
In response to rm760

‎12-15-2010 02:49 PM

From my prevous post, we need "set peer dynamic." From the bug that support is not currently available on ASA.

Sincerely,

0 Helpful

rm760
Level 4
Level 4
In response to adhar

‎12-15-2010 03:09 PM

Maybe I am missing something but the "Set peer dynamic" command is not an option available in version 8.2.1 of the ASA 5505 firmware.

0 Helpful

adhar
Level 1
Level 1

‎12-15-2010 06:04 PM

Let me clarify. The process to accomplish this would be same as on IOS. However due the bug identified with ASA code, currently this can't be done on ASA.

/reg

0 Helpful
Customers Also Viewed These Support Documents