cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8100
Views
0
Helpful
5
Replies

site-to-site vpn using on remote Site DynDNS on cisco asa

Hello,

I need help about configuring a IPSec site-to-site VPN with using a dynamic IP at the remote site.

Now I need a little bit help how to configure DynDNS at the remote site and then how do I get a

site-to-site VPN between the HQ with the static IP and the BO with the dynamic IP.

Yours

H.-J. Guenter

5 Replies 5

The ASA doesn't support DynDNS with the HTTP-method. And for a site-to-site-VPN you need static IPs on both ends.

You can build your VPN in two ways:

1) configure a static VPN on the remote ASA, configure a dynamic VPN on the central ASA.

2) configure EasyVPN remote on the remote ASA and EasyVPN Server on the central ASA.

I would prefer solution 2.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi karsten.iwen,

thanks for your answer. But I've got one more question. Because at the BO we have a dynamic IP.

I show you the Konfiguration here:

(HQ) Network -> - <- ASA -> Static IP <- Internet -> Dynamic IP <- ASA -> - <-Network (BO)

I found some dokuments about to configure a Site-to-Site VPN when both sites have static IP,

but I don`t now what I have to configure on the ASA at the HQ so that the ASA acceppt the

connection of the BO ASA with the dynamic IP. I have found only in the quantity of all the

configs I have found on the internet entry, must stand on the side of HQ ASA in the config?

  • !--- ISAKMP Policy für den Zugriff bei Dynamic Connections von der Remote ASA.
  • isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

Yours Sincerely

The wildcard-PSK belongs to my solution 1) where you configure a static VPN on the branch and a dynamic VPN on the HQ. Wildcard PSKs are not considered a best practice and should be avoided. A better solution would use digital certificates.

But nevertheless, if you want to implement it that way, here is an example:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

It uses a PIX with v7.x, but it shows what is needed on the HQ-ASA. The BO-ASA uses a standard VPN-S2S-setup.

Also look at the EasyVPN-Solution in the following example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808a61f4.shtml

Perhaps that will fit your needs better then the dynamic VPN above.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

I have seen at look on cisco.com use the ASA can DDNS for Dynamic IP. Is this

a way to get around the wildcard PSK?

Would have to look again but exactly how that is to be configured exactly as I and

then the dynamic IP of the BO HQ ASA ASA to get so that there then again a direct

site-to-site VPN without wildcard PSK can be used.

I have seen at look on cisco.com use the ASA can DDNS for Dynamic IP. Is this

a way to get around the wildcard PSK?

no, the DDNS-function is only for the IETF-method, but not for the HTTP-Method used with services like DynDNS.org.

Would have to look again but exactly how that is to be configured exactly as I and

then the dynamic IP of the BO HQ ASA ASA to get so that there then again a direct

site-to-site VPN without wildcard PSK can be used.

The only way to avoid the wildcard-PSKs is to use digital certificates. A workaround is to use EasyVPN where the PSK is assigned to a VPN-group instead of an IP.

Or even better, get a fixed IP for your branch-office.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: