Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
42355
Views
5
Helpful
4
Replies

Site-to Site VPN if a remote ASA has a dynamic IP on outside

Go to solution
Hans Juergen Guenter
Level 1
Level 1

‎10-05-2012 03:13 AM

Hi,

I always try to find the right commands for the Dynamic VPN at a Site-to Site VPN.

I found something about the set peer command, but is that right what I want to do?

Static IP on both ASA (asa5505 and asa5510):

crypto map outside_map 1 set peer 192.168.178.230 <== That ist for a static if I know the IP

One Static (asa5510) and one dynamic (asa5505) IP:

crypto map outside_map 1 set peer asa5505 dynamic default <== Is that the right set peer

if the remote ASA called asa5505 and it has a dynamic IP address?

Regards,

Hans-Juergen Guenter

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Hans Juergen Guenter

‎10-05-2012 04:01 AM

Yes, you do need the above 3 lines in the configuration. Those are required on the static end to accept connection from dynamic peer.

You don't need "set peer" command as you don't have a static ip address for the dynamic end.

View solution in original post

4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-05-2012 03:34 AM

Here is a sample configuration between static and dynamic VPN peer address:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

For dynamic to static VPN tunnel, the dynamic end needs to initiate the connection towards the static end. Because the dynamic end changes IP all the time, the static end would not know what the IP, hence the dynamic end needs to initiate the connection towards the static to bring up the VPN tunnel

0 Helpful

Go to solution
Hans Juergen Guenter
Level 1
Level 1
In response to Jennifer Halim

‎10-05-2012 03:44 AM

I saw that configuration, but sorry I don`t found the correct things I only need.

There are to much commands I don`t need.

crypto dynamic-map cisco 1 set transform-set myset 
crypto map dyn-map 20 ipsec-isakmp dynamic cisco 
crypto map dyn-map interface outside

Are that the commands for the crypto map at the Static site? Do I don`t need a

set peer command?

Regards,

Hans-Juergen Guenter

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Hans Juergen Guenter

‎10-05-2012 04:01 AM

Yes, you do need the above 3 lines in the configuration. Those are required on the static end to accept connection from dynamic peer.

You don't need "set peer" command as you don't have a static ip address for the dynamic end.

Go to solution
Chiranjit Dey
Level 1
Level 1

‎06-10-2016 07:09 AM

I have one ASA5550 firewall in our office environment , from where  Static Site to Site IPsec VPN is configured, Now i want to create a dynamic Ipsec Site-to Site from same box.

I wanted to know is my ASA box will support Static and Dynamic Site-to Site VPN on same time. If yes, then is any command we need to enter to enable both Static and Dynamic IPSEC Site to Site VPN on same time.

As of Now i have only one  Internet faced interface on my ASA by which Static Site to Site VPN is configured , if that box is support both flavour of IPSEC VPN can i use the same Public interface for both the tunnel or i need to create separate public interface on ASA.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents