Solved: Re: Cisco ASA 5510 Multiple dynamic L2L VPN config needed

realnakrul · ‎06-15-2010

Hello,

We are having Cisco asa 5510 with static IP. Also we have a remote office with a dynamic IP. Now we are having dynamic to static L2L VPN configured. And now we need to add new tunnel to another site with a dynamic IP. Is it possible? Does anybody have a woking example, or manual?

Oleg Kobelev

andrew.prince · ‎06-16-2010

The only config you need in the ASA is:-

1) Crypto Transform set

2) ISAKMP Policy

3) Dynamic Crypto Map

4) Default L2L group & PSK

5) RRI (Reverse Route Injection) Config

HTH>

View solution in original post

andrew.prince · ‎06-15-2010

Yes it is - see the below config example:-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

HTH>

realnakrul · ‎06-15-2010

Thank you for your example. But now i have such configu

ration. My problem is to add new dynamic tunnel to existing configuration.

There are in the example:

!--- The security appliance provides the default tunnel groups
!--- for Lan to Lan access (DefaultL2LGroup) and configure the preshared key
!--- (cisco123) to authenticate the remote router.
Should i use the same preshared key on the new site? Or i had to create new tunnel group?

Oleg Kobelev

andrew.prince · ‎06-16-2010

When you have configured a dynamic L2L tunnel - you can have only 1 psk. As it's a default L2L - that is the difference to a specific PEER config.

So I would suggest you choose a long & complex PSK as you have to use it for ALL dynamic L2L VPN's.

HTH>

realnakrul · ‎06-16-2010

So, i have to add only access

-list entery for new network? No new crypto map and isakmp policy?

Oleg Kobelev

andrew.prince · ‎06-16-2010

The only config you need in the ASA is:-

1) Crypto Transform set

2) ISAKMP Policy

3) Dynamic Crypto Map

4) Default L2L group & PSK

5) RRI (Reverse Route Injection) Config

HTH>