12-28-2015 08:59 AM
Hello
A business partner (BP) has some special requirements for VPN. Per the (BP), the vpn config on my Cisco ASA (825) should have the following:
(BP) remote gateway should be set to 0.0.0.0 - This is what I am concerned about.
Could any adverse issue arise on the ASA for other tunnels or routing by setting the crypto map peer and the tunnel-group to 0.0.0.0 for this specific tunnel?
My side of the tunnel needs to be set for passive IKE (answer only). No trouble with this.
Thank you for any expert guidance provided on this issue.
Solved! Go to Solution.
12-28-2015 12:49 PM
Hello,
In case that they are requesting that you accept any public IP as the peer because their IP is dynamic you need to configure a dynamic to static site to site tunnel in this way you can accept their connection to your ASA.
You will need to use the default tunnel group and setup the pre-share key there, it should not affect the other tunnels because if the other tunnel are static you have created a more specific tunnels for that particular peer
Here is a document that will explain this dynamic to static site to site configuration using ASDM and CLI
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119007-config-asa9x-ike-ipsec-00.html
12-28-2015 12:49 PM
Hello,
In case that they are requesting that you accept any public IP as the peer because their IP is dynamic you need to configure a dynamic to static site to site tunnel in this way you can accept their connection to your ASA.
You will need to use the default tunnel group and setup the pre-share key there, it should not affect the other tunnels because if the other tunnel are static you have created a more specific tunnels for that particular peer
Here is a document that will explain this dynamic to static site to site configuration using ASDM and CLI
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119007-config-asa9x-ike-ipsec-00.html
12-29-2015 07:31 AM
Diego
Thank you for the response.
We currently have a Dynamic crypto map in place , crypto map VPN 65535 ipsec-isakmp dynamic DYNAMIC.
In the ASDM it has a priority of 65535.10.
What show commands can i run to verify this dynamic statement is not already being used for another instance?
I see where any static entries I have made always are above this dynamic statement
Should I create another Dynamic instance and define it as 65535.20
Does it matter where these Dynamic statements fall in the list of crypto maps?
12-29-2015 07:45 AM
You don't need to create a new dynamic map you can reuse that one for all the dynamic ips in case you're getting other peers with it.
The dynamic map should be the last crypto map to avoid problems with the static ones.
12-29-2015 08:47 AM
Diego
On a scale of 1 to 10 (riskiest) how risky is this type of implementation?
Based on what I am reading anyone who gets this pre-shared key could use this tunnel into my network!
12-29-2015 09:31 AM
Using pre-share keys as authentication method will always represent a higher risk even for the static tunnels you can reduce the risk by configuring a strong enough password with considerable amount of characters and symbols.
If you don't feel comfortable using pre-share keys for this particular implementation you can use certificate authentication, this will increase the security for this tunnel. Only the peers with the certificate will be able to authenticate against your ASA to establish a secure VPN tunnel.
Here is a documentation that you can check to implement certificate authentication:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110221-asavpnclient-ca.html#asa1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide