ASA5506 Site to Site VPN with Dynamic DNS

mohdumer · ‎06-19-2023

Dear Team.

Kindly help me in out in below scenario.

I need to configure IPsec VPN via ASDM by using Dynamic dns. I did not find any suitable supportive document on internet by using that i can achieve my goal.

Kindly guide me for the configuration.

marce1000 · ‎06-19-2023

- Ensure that you have a Cisco ASA device with the ASDM (Adaptive Security Device Manager) installed and configured.

Obtain a Dynamic DNS (DDNS) hostname from a DDNS service provider. This hostname will be used to dynamically update the IP address of the ASA's public interface.

Configure the ASA's public interface with a static public IP address or obtain an IP address from your ISP if you don't have one already.

Configure the ASA's inside interface with the appropriate internal IP address.

Access the Cisco ASDM by opening a web browser and entering the IP address of the ASA's inside interface.

Log in to the ASDM using your administrator credentials.

In the ASDM interface, navigate to Configuration > Site-to-Site VPN > Connection Profiles.

Click "Add" to create a new connection profile.

Enter a name for the connection profile and select the "Remote Access" type.

In the "General" tab, configure the following settings:

Enable the checkbox for "Enable inbound IPsec sessions to bypass interface access lists."
Select "IKE with Preshared Key" as the authentication method.
Enter a preshared key in the "Preshared Key" field. Note this key down as you will need it to configure the remote VPN client.
In the "Advanced" tab, configure the following settings:
Select "Enable IKEv1" as the IKE version.
Enter the DDNS hostname you obtained earlier in the "Dynamic DNS hostname" field.
Enable "Enable IPsec over TCP" if you are behind a restrictive firewall that blocks IPsec traffic.
Save the configuration changes.

Navigate to Configuration > Firewall > NAT Rules.

Create a new NAT rule that maps the public IP address of the ASA's outside interface to the internal IP address of the device or network you want to connect to via VPN.

Save the NAT rule.

Test the VPN connection by configuring a remote VPN client with the following details:

VPN server: The public IP address of the ASA's outside interface or the DDNS hostname.
VPN type: IKEv1 or IKEv2, depending on your configuration.
Pre-shared key: The key you entered in Step 10.

Connect the remote VPN client and verify that the VPN tunnel is successfully established.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

MHM Cisco World · ‎06-19-2023

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119007-config-asa9x-ike-ipsec-00.html

This what you need

mohdumer · ‎06-19-2023

Dear MHM.

I had gone through the document you shared, it is helpful but as per my requirement I need Site to Site VPN using Dynamic DNS instead of Static or Dynamic IP.

MHM Cisco World · ‎06-20-2023

One site is dynamic DNS other is static IP'

We use dynamic to static as link I share above

The peer with dynmaic DNS have set peer toward the stativ IP peer.

Static IP peer use crypto map dynamic and hence it dont care aboùt the IP try to initiate IPsec to it.

The IP is change in DNS what happened to tunnel ? There is isakmp keepalive which detect peer status and re-nego new IPsec when IP change.

Aref Alsouqi · ‎06-20-2023

Are you looking for using the FQDN in the site to site configs instead of the IPs? if so, I think you can set the FQDN in the "crypto map" peer command as well as in the tunnel group. I don't recall ever done this before, but you can give it a try.