Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
918
Views
0
Helpful
1
Replies

ASA Dynamic VPN and static routes

joerggrau
Level 1
Level 1

‎05-21-2012 01:02 PM

I am running an ASA with 8.4(3) and am trying to setup a dynamic VPN tunnel.  We are having a business reason to establish a VPN tunnel to customers who do not have nailed down IP addresses.  Now I found a number of documents that outline the steps involved.  It seems the basic steps were to

  1. Establish a regular tunnel
  2. Add dynamic crypto map
  3. Assign the dynamic crypto map to the tunnel created under step 1.

While this sounds pretty straight forward and simple, while prepping for doing just this I hot a road block while thinking it through. In order for my ASA to put anything into the tunnel it has to have a route to the remote network pointing at my VPN peer at the  end of the tunnel.  How do I do this in a dynamic tunnel?  How do I add a dynamic route so the ASA knows which tunnel to stuff the traffic into?  How do I stop the traffic from just being send to the Internet?

Thanks,

Joerg

Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎05-21-2012 02:19 PM

Joerg,

Dynamic crypto maps can only act as a responder.

Dynamic crypto map entries can have match statments to differentiate which traffic should be pushed.

Initiators that fall under dynamic crypto map can "force" what traffic to push through this particular peer (unless otherwise constrained).

I.e. once the remote end (with dynamic IP) intiates IKE negotiation and the tunnel establishes there will be a binding between which traffic to send and the endpoint IP address(es).

M.

0 Helpful
Customers Also Viewed These Support Documents