Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1057
Views
10
Helpful
8
Replies

ASA to ASA or IOS Router VPN with dynamic remote

ALIAOF_
Level 6
Level 6

‎11-02-2011 07:41 AM

I have an ASA 5505 with a dynamic IP address from the ISP.

What I need to accomplish is the following:

- Either setup that ASA (Dynamic IP)VPN with an IOS router (Static IP)

- Or setup that ASA (Dynamic IP) with another ASA (Static IP)

Any suggestions, links, best practices? Any one else is setup this way config examples would be great.  Thank you.

Labels:
0 Helpful
8 Replies 8

Kishore Chennupati
Level 7
Level 7

‎11-02-2011 05:29 PM

Hi Mohammed,

- Or setup that ASA (Dynamic IP) with another ASA (Static IP)

please find the link below. This should be a good guide to help you setup what you want. Let me know if you want more info

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

HTH

Kishore

ALIAOF_
Level 6
Level 6
In response to Kishore Chennupati

‎11-04-2011 01:46 PM

Thank you Kishore but I found out that I really need to accomplish this from asa to a router with router being the central device so Option 1 is what I need.

0 Helpful

Kishore Chennupati
Level 7
Level 7
In response to ALIAOF_

‎11-04-2011 06:50 PM

Hi Mohammed,

In either case you use something called dynamic crypto maps because you dont know the peer ip as it will be dynamic.

I am pasting a link here to create dynamic crypto maps on routers. The ASA config will the same as a normal site-site config.

http://blogg.kvistofta.nu/config-example-static-to-dynamic-ipsec/

HTH

Kishore

ALIAOF_
Level 6
Level 6
In response to Kishore Chennupati

‎11-06-2011 06:18 AM

Thank you Kishore, I will give it a try this week and post back results.     

0 Helpful

ALIAOF_
Level 6
Level 6
In response to Kishore Chennupati

‎11-11-2011 09:19 AM

This is great exactly what I need, one last issue remains on it is that there is already a static crypto map applied to the interface and I don't think you can apply two crypto maps to a single interface.  Is there a work around?

0 Helpful

Kishore Chennupati
Level 7
Level 7
In response to ALIAOF_

‎11-12-2011 04:57 AM

Hi Mohammed,

what you can do is to create numbered crypto maps. Below is what i mean.

crypto map HIGHSEC_CRYPTO_MAP 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set ESP-AES-128-SHA

match address 100

crypto map HIGHSEC_CRYPTO_MAP 20 ipsec-isakmp

  set peer 2.2.2.2

  set transform-set ESP-AES-128-SHA

  match address 200

interface fa0/1

crypto map HIGHSEC_CRYPTO_MAP

..and so on.. so basically you can run as many S2S VPN tunnels the platform supports. Try that and let me know

Regards,

Kishore

0 Helpful

ALIAOF_
Level 6
Level 6
In response to Kishore Chennupati

‎11-14-2011 05:20 AM

Thank you for the reply Kishore, however we already have that in place.  Issue here is that we already have static cyrpto maps and we need to add a dynamic map, but we can't bind it to the interface because there is a static map already there.

0 Helpful

Kishore Chennupati
Level 7
Level 7
In response to ALIAOF_

‎11-14-2011 02:05 PM

Ah I see what u mean. sorry didnt read ur last post fully. umm well in that case you might have to use subinterfaces and then aply the dynamic map to the sub-interface

0 Helpful
Customers Also Viewed These Support Documents