Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
800
Views
0
Helpful
3
Replies

ASA 8.3 Static - Dynamic L2L

Go to solution
Phil Smith
Level 1
Level 1

‎08-30-2013 02:58 AM

Hi,

We currently have a Hub - Spoke setup with many static-to-static lan-to-lan vpn tunnels configured.

I have been asked to set up a vpn from the hub to a remote site which uses dhcp to obtain its peer address.

I have searched for an answer to this, but everything I have found shows the dynamic map being applied to the outside interface.

The normal map is currently applied to it, and I don't think multiples are allowed?  I can't test, as its a working environment.

So my query is, how do I add this config without affecting any of the current connections?

Alternately, is there any way to configure the phase 1 isakmp identity as "hostname" for this one particular connection (all others use "address") and get them to use a dyndns config?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to Phil Smith

‎08-30-2013 04:07 AM

That config should be ok. Perhaps you need to extend it further with a group-policy depending on your needs (VPN-Filter or so ...).

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Karsten Iwen
VIP
VIP

‎08-30-2013 03:34 AM

The VPN has to be initiated from the device with the dynamic IP. The ASA can not use an FQDN as the peer (the IOS-router can). The dynamic crypto map is not attached to the interface. It's attached to the static crypto-map with a sequence that has to be higher then all sequence-numbers used for site-to-site connections.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
Phil Smith
Level 1
Level 1
In response to Karsten Iwen

‎08-30-2013 03:57 AM

Any chance of an example config? Is the below enough?

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key TESTKEY

crypto dynamic-map DMAP1 500 set transform-set MYSET

crypto map REMSITE 500 ipsec-isakmp dynamic DMAP1

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Phil Smith

‎08-30-2013 04:07 AM

That config should be ok. Perhaps you need to extend it further with a group-policy depending on your needs (VPN-Filter or so ...).

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents