Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2616
Views
1
Helpful
7
Replies

ASA VTI Tunnel from dynamic remote address

cco@leferguson.com
Level 1
Level 1

‎12-04-2017 11:22 AM - edited ‎03-12-2019 04:47 AM

Can I configure a VTI tunnel (the new routing type) so the destination can come from a dynamic address (i.e. where the remote device, in my case a router, has a DHCP assigned address)? 

 

I have tried various ways so far without success.  I can get a configuration to work so long as I use a static destination address and associated TUNNEL-GROUP name.

 

Is there an example config anywhere posted? 

Labels:
0 Helpful
7 Replies 7

cco@leferguson.com
Level 1
Level 1

‎12-04-2017 03:54 PM

To elaborate slightly: By using aggressive mode I can get the ASA to use a tunnel-group which has a name, not an IP, but I cannot figure out how to get rid of the destination in the tunnel definition, e.g. 

 

interface Tunnel36
 nameif vti36
 ip address 172.26.37.1 255.255.255.0 
 tunnel source interface outside
 tunnel destination 7.7.7.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTIPROFILE

That 7.7.7.1 is my problem, I can't find any syntax on the ASA side that can get rid of it and still have a VTI Tunnel Interface (which I want to use with EIGRP via BGP redistribution). 

0 Helpful

cco@leferguson.com
Level 1
Level 1

‎12-09-2017 11:04 AM

Just for grins, I asked our partner for pre-sale help (since this is for a planned project), and was told that whether or not VTI on ASA can support a tunnel destination that is DHCP assigned is a post-sale, TAC question.

 

So ... buy it, and we'll tell you then if it works or not.

 

We're moving forward with a small router to terminate these tunnels on, at least I know that works. And nicely it supports EIGRP, so no need for BGP redistribution.

0 Helpful

fcardoso
Level 1
Level 1
In response to cco@leferguson.com

‎09-01-2023 04:09 AM

Did it work?  i have the same problem (asa5545)...

0 Helpful

Pavan Gundu
Cisco Employee
Cisco Employee

‎09-01-2023 04:31 AM

Are you trying to form a tunnel between dynamic to dynamic device?

0 Helpful

fcardoso
Level 1
Level 1
In response to Pavan Gundu

‎09-01-2023 04:53 AM

Pavan,

I wanted to create a tunnel between the ASA 5545 (with static outside ip) and a router (with dynamic outside ip)...
with the aim of running bgp between the endpoints....

I tried to configure the interface tunnel on ASA side:

interface Tunnel0
nameif ROUTER
ip address 172.16.2.1 255.255.255.0
tunnel source interface OUTSIDE
tunnel destination ?.?.?.?
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE


But it is not possible because the "tunnel destination ?.?.?.?" it is not a fixed ip....

how can I solve this problem??

Best regards

0 Helpful

Pavan Gundu
Cisco Employee
Cisco Employee
In response to fcardoso

‎09-01-2023 05:08 AM

Starting from ASA 9.19 you have the ability to configure DVTI (dynamic VTI Tunnels).

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/release/notes/asarn919.html (under VPN features)

fcardoso
Level 1
Level 1
In response to Pavan Gundu

‎09-01-2023 08:02 AM

According to my research, the asa 55 45 only allows iOS upgrades up to version 9.14....

I really appreciate the solution you presented, but I can't implement it.

Is there any other solution that can be implemented ? Any ideas?…

Thank you very much for for your help...

Fernando

0 Helpful
Customers Also Viewed These Support Documents