cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
423
Views
0
Helpful
3
Replies

ASA 8.3 Static - Dynamic L2L

Phil Smith
Beginner
Beginner

Hi,

We currently have a Hub - Spoke setup with many static-to-static lan-to-lan vpn tunnels configured.

I have been asked to set up a vpn from the hub to a remote site which uses dhcp to obtain its peer address.

I have searched for an answer to this, but everything I have found shows the dynamic map being applied to the outside interface.

The normal map is currently applied to it, and I don't think multiples are allowed?  I can't test, as its a working environment.

So my query is, how do I add this config without affecting any of the current connections?

Alternately, is there any way to configure the phase 1 isakmp identity as "hostname" for this one particular connection (all others use "address") and get them to use a dyndns config?

1 Accepted Solution

Accepted Solutions

That config should be ok. Perhaps you need to extend it further with a group-policy depending on your needs (VPN-Filter or so ...).

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

3 Replies 3

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

The VPN has to be initiated from the device with the dynamic IP. The ASA can not use an FQDN as the peer (the IOS-router can). The dynamic crypto map is not attached to the interface. It's attached to the static crypto-map with a sequence that has to be higher then all sequence-numbers used for site-to-site connections.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Any chance of an example config? Is the below enough?

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key TESTKEY

crypto dynamic-map DMAP1 500 set transform-set MYSET

crypto map REMSITE 500 ipsec-isakmp dynamic DMAP1

That config should be ok. Perhaps you need to extend it further with a group-policy depending on your needs (VPN-Filter or so ...).

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers