Solved: Re: Dynamic Sonicwall to Static ASA

WStoffel1 · ‎05-14-2013

Forgive the almost matching repost of a question I had last week, but I wanted to be sure about something.

I now have a Sonicwall overseas that has a dynamic outside address. I'm going to configure a tunnel to my ASA which has a static address.

Obviously the Sonicwall is initiating the connection.

Just so I'm clear:

On the ASA can I configure a tunnel group to accept the *dynamic* connection from the remote Sonicwall? Or is my only option to use the DefaultL2LGroup (main mode) or DefaultRAGroup (agressive mode)?

Thanks!

Gustavo Medina · ‎05-15-2013

Hi,

You can do the following:

crypto dynamic-map cisco 1 set transform-set ESP-3DES-MD5 ESP-3DES-SHA

Regards,

-Gustavo

View solution in original post

Gustavo Medina · ‎05-14-2013

Hello,

Please refer to the following doc and let me know if you have any questions:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc7d13.shtml

WStoffel1 · ‎05-14-2013

Thanks for the fast response! Guess I was not searching properly, I'll have a look at this asap.

WStoffel1 · ‎05-14-2013

OK that was a huge help and I have the tunnel up using aggressive mode, i created a "tunnel-group HOME type ipsec-l2l" and used the key identifier on the Sonicwall of HOME and it negotiates and lands on my "crypto dynamic-map cisco 1" you'll see in the following config:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map cisco 1 set transform-set ESP-3DES-MD5

crypto dynamic-map cisco 1 set security-association lifetime seconds 28800

crypto dynamic-map cisco 1 set security-association lifetime kilobytes 4608000

crypto map Outside_map 99 ipsec-isakmp dynamic cisco

crypto map Outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 4

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

tunnel-group HOME type ipsec-l2l

tunnel-group HOME ipsec-attributes

pre-shared-key *******

It matches my isakmp policy 5, phase 1 comes up. Phase 2 negotiates, comes up. No problem there.

What I don't seem to be able to do is create another dynamic crypto now...I have dynamic-map cisco 1, shouldn't I be able to create:

crypto dynamic-map cisco 2 set transform-set ESP-3DES-SHA (based on the above transform set) ?

Thanks.

Gustavo Medina · ‎05-14-2013

Glad it helped you! and yes you should be able to configure that line but why do you want another dynamic entry?

WStoffel1 · ‎05-14-2013

different customer encryption requirements. not my call, i just need to get it working.

with the above config i'm looking along this line:

crypto dynamic-map cisco 1 set transform-set ESP-3DES-MD5

crypto dynamic-map cisco 1 set security-association lifetime seconds 28800

crypto dynamic-map cisco 1 set security-association lifetime kilobytes 4608000

crypto dynamic-map cisco 2 set transform-set ESP-3DES-SHA

crypto dynamic-map cisco 2 set security-association lifetime seconds 28800

crypto dynamic-map cisco 2 set security-association lifetime kilobytes 4608000

CustomerA with dynamic ISP address has a tunnel configured to use 3des and md5 would land on their tunnel group and it would negotiate because of cisco 1.

CustomerB has to use 3des and sha1 for a business requirement, but still has a dynamically assigned outside address, they wouldnt be able to connect if cisco 1 was the only option.

Short of telling one customer or the other they have to change their requirements, I dont see a way around it.

Gustavo Medina · ‎05-15-2013

Hi,

You can do the following:

crypto dynamic-map cisco 1 set transform-set ESP-3DES-MD5 ESP-3DES-SHA

Regards,

-Gustavo

WStoffel1 · ‎05-15-2013

Oh snap! Thanks!