Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
499
Views
5
Helpful
7
Replies

Setup VPN between ASA 5505's one with a Static IP and another on Dynamic

Simon.peters1
Level 1
Level 1

‎12-08-2016 04:38 AM

Hello,


I am looking at getting a VPN setup between two ASA's one that will have a static IP address and one that will not. I am hoping to use NOIP or Dynamic dns to take care of the site with no static Ip but I am looking at a little help getting it setup.

Is this possible with the two Asa's? I have found this so far.

http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/118743-configure-asa-00.html

Thanks!

Labels:
0 Helpful
7 Replies 7

JP Miranda Z
Cisco Employee
Cisco Employee

‎12-08-2016 12:27 PM

Hi Simon,

Yes you can configure a dynamic to static tunnel, this is the configuration guide:

ikev1:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119007-config-asa9x-ike-ipsec-00.html

ikev2:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118652-configure-asa-00.html

Hope this info helps!!

Rate if helps you!! 

-JP-

0 Helpful

Simon.peters1
Level 1
Level 1
In response to JP Miranda Z

‎12-08-2016 01:28 PM

Hello JP,

Thanks for replying, very useful links you have provided!


My issue though it the HO is the site that doesn't have the Static address but the remote sites does.

Regards,
Simon

0 Helpful

JP Miranda Z
Cisco Employee
Cisco Employee
In response to Simon.peters1

‎12-08-2016 01:33 PM

Hi Simon.peters1,

The device that is static and the one dynamic is not really going to make any difference, so if the HO is dynamic you need to configure the static crypto map and the remote needs to configure a dynamic crypto map.

Hope this info helps!!

Rate if helps you!! 

-JP-

Simon.peters1
Level 1
Level 1
In response to JP Miranda Z

‎12-08-2016 01:37 PM

Hi JP,

Thabk you very much for your help. I will have a look tomorrow and let you know how it goes.

It looks like it will be exactly what I need!

Thanks,

Simon

0 Helpful

Simon.peters1
Level 1
Level 1
In response to JP Miranda Z

‎12-09-2016 12:56 AM

Hello,

I have had a look and I think it will be ok but I need to setup multiple VPNS to the HO ASA that has no static IP Address. 

Looking at the links if I set the IKE Parameters to be KeyID will it work with Multiple vpns?

Regards,

Simon

0 Helpful

Simon.peters1
Level 1
Level 1
In response to JP Miranda Z

‎12-09-2016 03:25 PM

Hi JP,

I have got the tunnel established ok but can't access anything either end so assume there is an ussue with the access lists.

One question on the static setup side, there is no mention of setting the tunnel up on the static side in the setup notes, I have used the wizard to create the vpn as otherwise it wont come up. I assume you need to create the site to site vpn on the static ASA?

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119007-config-asa9x-ike-ipsec-00.html

Thanks,
Simon

0 Helpful

Simon.peters1
Level 1
Level 1
In response to Simon.peters1

‎12-09-2016 04:06 PM

Another update......

I have now got the VPN working between the two but I loose internet access both ends.

I am getting an error as below when pinging google.

teardown icmp connection for add 8.8.8.8 

Any suggestions?

Thanks!

0 Helpful
Customers Also Viewed These Support Documents