11-02-2011 07:41 AM
I have an ASA 5505 with a dynamic IP address from the ISP.
What I need to accomplish is the following:
- Either setup that ASA (Dynamic IP)VPN with an IOS router (Static IP)
- Or setup that ASA (Dynamic IP) with another ASA (Static IP)
Any suggestions, links, best practices? Any one else is setup this way config examples would be great. Thank you.
11-02-2011 05:29 PM
Hi Mohammed,
- Or setup that ASA (Dynamic IP) with another ASA (Static IP)
please find the link below. This should be a good guide to help you setup what you want. Let me know if you want more info
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
HTH
Kishore
11-04-2011 01:46 PM
Thank you Kishore but I found out that I really need to accomplish this from asa to a router with router being the central device so Option 1 is what I need.
11-04-2011 06:50 PM
Hi Mohammed,
In either case you use something called dynamic crypto maps because you dont know the peer ip as it will be dynamic.
I am pasting a link here to create dynamic crypto maps on routers. The ASA config will the same as a normal site-site config.
http://blogg.kvistofta.nu/config-example-static-to-dynamic-ipsec/
HTH
Kishore
11-06-2011 06:18 AM
Thank you Kishore, I will give it a try this week and post back results.
11-11-2011 09:19 AM
This is great exactly what I need, one last issue remains on it is that there is already a static crypto map applied to the interface and I don't think you can apply two crypto maps to a single interface. Is there a work around?
11-12-2011 04:57 AM
Hi Mohammed,
what you can do is to create numbered crypto maps. Below is what i mean.
crypto map HIGHSEC_CRYPTO_MAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set ESP-AES-128-SHA
match address 100
crypto map HIGHSEC_CRYPTO_MAP 20 ipsec-isakmp
set peer 2.2.2.2
set transform-set ESP-AES-128-SHA
match address 200
interface fa0/1
crypto map HIGHSEC_CRYPTO_MAP
..and so on.. so basically you can run as many S2S VPN tunnels the platform supports. Try that and let me know
Regards,
Kishore
11-14-2011 05:20 AM
Thank you for the reply Kishore, however we already have that in place. Issue here is that we already have static cyrpto maps and we need to add a dynamic map, but we can't bind it to the interface because there is a static map already there.
11-14-2011 02:05 PM
Ah I see what u mean. sorry didnt read ur last post fully. umm well in that case you might have to use subinterfaces and then aply the dynamic map to the sub-interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide