Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
964
Views
0
Helpful
2
Replies

L2L VPN - Static IP to DHCP (Dynamic) IP

david
Level 1
Level 1

‎12-18-2012 09:07 AM

Hi All, I know this can be done, but I'm having a real difficult time getting it setup.  We have a few remote sites that have DHCP Internet connections and we have site-to-site tunnels configured from them to our central ASA, which of course has a static IP address.  Every once in a while the remote side DHCP address changes, which breaks the L2L tunnel.  Is there a simple way to alter the existing site to site configs so that the Dynamic side always initiates the tunnel connection?  I would much prefer to know how to achieve this using ASDM.  We're running IOS 8.4 and ASDM v7 on all ASA's.

Thanks!          

Labels:
0 Helpful
2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

‎12-18-2012 09:58 AM

Hello David,

I can help you with the information you need to run, I do not have access to one of the ASA's on our lab right now so I will provide you the CLI commands I remember.

First what needs to be modified is the site with the static Ip address ( In the other side {Dynamic IP} everything will be the same as we still know the Remote ip address of our peer,etc,etc).

Now on the static side you will need to configure a dynamic crypto map so we can allow the inbound connections comming from a non-specific peer.

So let's say you already have a crypto map called VPN1 so lets work with that ( The dynamic map will be called cisco)

1)crypto ipsec ikev1 transform-set cisco esp-aes esp-sha-hmac **The transform-set to be used

2)crypto dynamic-map cisco 10 set ikev1 transform-set cisco     ** The dynamic map to be used

3) crypto map VPN1 6535 ipsec-isakmp dynamic cisco               ** The dynamic map applied to the static map

As you can see no need to set the peer of the crypto ACL.

Finally we need to change the tunnel group configuration ( Remember that on the ASA we must set the peer ip address for the tunnel group, now on this case as we do not have it we SHOULD use the default-tunnel-group and set the pre-shared key there )

  tunnel-group DefaultL2LGroup ipsec-attributes

  ikev1 pre-shared-key cisco

Hope that I could help,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

anujsharma85
Level 1
Level 1

‎12-18-2012 10:04 AM

You can configure Crypto map connection type entry for a peer to be "originate-only". Command to do the same is "Crypto map set connection type originate-only".

Not sure about the exact path in ASDM for the same as I cannot recall it now however it is available for sure with every crypto map sequence entry in ASDM as well.

Regards,

Anuj

0 Helpful
Customers Also Viewed These Support Documents