Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
571
Views
0
Helpful
2
Replies

site to site vpn with dynamic ip on both sides

inspirafos
Level 1
Level 1

‎12-07-2013 08:43 AM

Hi, is it possible to configure site to site vpn with both sides has dynamic ip addresses assign?

both asa devices have the latest firmware.

//:Erik                  

Labels:
0 Helpful
2 Replies 2

Jeff Van Houten
Level 5
Level 5

‎12-07-2013 09:03 AM

Certainly on a router you can tie your crypto-map to the "any" address (0.0.0.0 0.0.0.0). Assuming you're using PSK, that means you'll accept any connection as long as the PSK and the crypto-map configuration matches. That would allow dynamic addressed routers to connect.

For the ASA, I'm not sure.

Sent from Cisco Technical Support iPad App

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Jeff Van Houten

‎12-08-2013 12:56 PM

Eric

I have thought about your question and wondered about the possibility of configuring the "any" option as suggested by Jeff. But after considering this I believe that there is a problem in this approach. While it is certainly a viable configuration and works quite well to accept a connection request from any other device, I believe that it is sort of like configuring to set up an Etherchannel. If you set both end as passive then they will both accept a connection request. But there is not anything set up to initiate the request. For this crypto configuration both peers will accept a connection request, but I do not see how you get either peer to initiate a connection request to the other.

I have not been able to think of a way to do what you want and to establish a site to site VPN when when peers are using dynamic addresses. The closest I have come is to use dynammic DNS and base the peering on names rather than addresses. But I can not remember seeing anything where someone has done it this way.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents