12-04-2017 11:22 AM - edited 03-12-2019 04:47 AM
Can I configure a VTI tunnel (the new routing type) so the destination can come from a dynamic address (i.e. where the remote device, in my case a router, has a DHCP assigned address)?
I have tried various ways so far without success. I can get a configuration to work so long as I use a static destination address and associated TUNNEL-GROUP name.
Is there an example config anywhere posted?
12-04-2017 03:54 PM
To elaborate slightly: By using aggressive mode I can get the ASA to use a tunnel-group which has a name, not an IP, but I cannot figure out how to get rid of the destination in the tunnel definition, e.g.
interface Tunnel36 nameif vti36 ip address 172.26.37.1 255.255.255.0 tunnel source interface outside tunnel destination 7.7.7.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile VTIPROFILE
That 7.7.7.1 is my problem, I can't find any syntax on the ASA side that can get rid of it and still have a VTI Tunnel Interface (which I want to use with EIGRP via BGP redistribution).
12-09-2017 11:04 AM
Just for grins, I asked our partner for pre-sale help (since this is for a planned project), and was told that whether or not VTI on ASA can support a tunnel destination that is DHCP assigned is a post-sale, TAC question.
So ... buy it, and we'll tell you then if it works or not.
We're moving forward with a small router to terminate these tunnels on, at least I know that works. And nicely it supports EIGRP, so no need for BGP redistribution.
09-01-2023 04:09 AM
Did it work? i have the same problem (asa5545)...
09-01-2023 04:31 AM
Are you trying to form a tunnel between dynamic to dynamic device?
09-01-2023 04:53 AM
Pavan,
I wanted to create a tunnel between the ASA 5545 (with static outside ip) and a router (with dynamic outside ip)...
with the aim of running bgp between the endpoints....
I tried to configure the interface tunnel on ASA side:
interface Tunnel0
nameif ROUTER
ip address 172.16.2.1 255.255.255.0
tunnel source interface OUTSIDE
tunnel destination ?.?.?.?
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE
But it is not possible because the "tunnel destination ?.?.?.?" it is not a fixed ip....
how can I solve this problem??
Best regards
09-01-2023 05:08 AM
Starting from ASA 9.19 you have the ability to configure DVTI (dynamic VTI Tunnels).
Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/release/notes/asarn919.html (under VPN features)
09-01-2023 08:02 AM
According to my research, the asa 55 45 only allows iOS upgrades up to version 9.14....
I really appreciate the solution you presented, but I can't implement it.
Is there any other solution that can be implemented ? Any ideas?…
Thank you very much for for your help...
Fernando
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide