cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Webcast SD-WAN
40029
Views
5
Helpful
4
Replies
Highlighted

Site-to Site VPN if a remote ASA has a dynamic IP on outside

Hi,

I always try to find the right commands for the Dynamic VPN at a Site-to Site VPN.

I found something about the set peer command, but is that right what I want to do?

Static IP on both ASA (asa5505 and asa5510):

crypto map outside_map 1 set peer 192.168.178.230 <== That ist for a static if I know the IP

One Static (asa5510) and one dynamic (asa5505) IP:

crypto map outside_map 1 set peer asa5505 dynamic default <== Is that the right set peer

if the remote ASA called asa5505 and it has a dynamic IP address?

Regards,

Hans-Juergen Guenter

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Site-to Site VPN if a remote ASA has a dynamic IP on outside

Yes, you do need the above 3 lines in the configuration. Those are required on the static end to accept connection from dynamic peer.

You don't need "set peer" command as you don't have a static ip address for the dynamic end.

4 REPLIES 4
Cisco Employee

Site-to Site VPN if a remote ASA has a dynamic IP on outside

Here is a sample configuration between static and dynamic VPN peer address:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

For dynamic to static VPN tunnel, the dynamic end needs to initiate the connection towards the static end. Because the dynamic end changes IP all the time, the static end would not know what the IP, hence the dynamic end needs to initiate the connection towards the static to bring up the VPN tunnel

Site-to Site VPN if a remote ASA has a dynamic IP on outside

I saw that configuration, but sorry I don`t found the correct things I only need.

There are to much commands I don`t need.

crypto dynamic-map cisco 1 set transform-set myset 
crypto map dyn-map 20 ipsec-isakmp dynamic cisco 
crypto map dyn-map interface outside 

Are that the commands for the crypto map at the Static site? Do I don`t need a

set peer command?

Regards,

Hans-Juergen Guenter

Cisco Employee

Site-to Site VPN if a remote ASA has a dynamic IP on outside

Yes, you do need the above 3 lines in the configuration. Those are required on the static end to accept connection from dynamic peer.

You don't need "set peer" command as you don't have a static ip address for the dynamic end.

Beginner

I have one ASA5550 firewall

I have one ASA5550 firewall in our office environment , from where  Static Site to Site IPsec VPN is configured, Now i want to create a dynamic Ipsec Site-to Site from same box.

I wanted to know is my ASA box will support Static and Dynamic Site-to Site VPN on same time. If yes, then is any command we need to enter to enable both Static and Dynamic IPSEC Site to Site VPN on same time.

As of Now i have only one  Internet faced interface on my ASA by which Static Site to Site VPN is configured , if that box is support both flavour of IPSEC VPN can i use the same Public interface for both the tunnel or i need to create separate public interface on ASA.