Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
515
Views
0
Helpful
4
Replies

Dynamic site to site vpn.

Go to solution
opnineopnine
Level 1
Level 1

‎01-14-2015 08:25 AM

Hi all,

 

One of the customers did the following question. 

 

They have an ASA 5510 and they will implement dynamic site to site vpn, because some of their customers don't have a static IP. 

What they want to know, if instead of creating a vpn configuration for every new site, they can have only one vpn configuration for all the new sites they are adding. 

Thanks!

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to opnineopnine

‎01-14-2015 11:27 AM

Perhaps you will find information in these discussions that will help you understand what is needed

https://supportforums.cisco.com/discussion/11624431/site-site-vpn-if-remote-asa-has-dynamic-ip-outside

this link has a good example of configuring ASA to do VPN to peer that uses dynamic IP

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112075-dynamic-ipsec-asa-router-ccp.html

 

HTH

 

Rick

 

 

HTH

Rick

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎01-14-2015 09:55 AM

If I am understanding your question correctly then the answer is yes the customer will configure just a single instance of a dynamic map on the ASA with the fixed IP and multiple remote peers with dynamic addresses will negotiate VPN sessions to it. In this environment the hub ASA with fixed address does not have a per peer entry in its crypto map but has a single dynamic entry that multiple remote peers will use.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
opnineopnine
Level 1
Level 1
In response to Richard Burts

‎01-14-2015 10:45 AM

Hello Richard,

 

Thanks for your reply, I found this configuration , and my doubt is in the ACLs, I will have to create one acl for each on the new vpn device that will connect to my site, the idea is to have 3 remote vpns with dynamic IPs.

 

thanks

!!!!!

crypto isakmp policy 5
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
crypto isakmp enable outside

tunnel-group DefaultL2LGroup ipsec-attributes
  pre-shared-key <PRE-SHARED KEY>

access-list ENCDOM-100 permit ip 172.16.1.0 255.255.255.0 10.1.100.0 255.255.255.0

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto dynamic-map ENCDOM-100-DYNMAP 10 set transform-set ESP-AES128-SHA
crypto map outside 100 match address ENCDOM-100
crypto map outside 100 ipsec-isakmp dynamic ENCDOM-100-DYNMAP
crypto map outside interface outside

access-list ENCDOM-100-NONAT extended permit ip 172.16.1.0 255.255.255.0 10.1.100.0 255.255.255.0
nat (inside) 0 access-list ENCDOM-100-NONAT

 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to opnineopnine

‎01-14-2015 11:27 AM

Perhaps you will find information in these discussions that will help you understand what is needed

https://supportforums.cisco.com/discussion/11624431/site-site-vpn-if-remote-asa-has-dynamic-ip-outside

this link has a good example of configuring ASA to do VPN to peer that uses dynamic IP

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112075-dynamic-ipsec-asa-router-ccp.html

 

HTH

 

Rick

 

 

HTH

Rick
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Richard Burts

‎01-14-2015 12:26 PM

I am glad that my response was helpful. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to identify threads that have helpful information.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents