Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
870
Views
0
Helpful
3
Replies

site to site vpn with dynamic ips

Go to solution
abdul basit
Level 1
Level 1

‎12-10-2012 03:27 AM

hi all

I am asking this question again, does vpn work with dynamic ips of the remote sites and if yes how ? kindly help me because i read one document about it on pix firewall but there they mention that if main site have a static public ip and other remotes sites have dynamic ips then only remote sites can initiate vpn connection while main campus can't. Isn't there any way that both main and remote sites can initiate connection in the scenario i mentioned ? the scenario i am working for an organization is shown in figure. main campus have pix525 v7.2 in the distribution layer but with restricted liscence and have static ip, all other sites have dynamic ips.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
anujsharma85
Level 1
Level 1

‎12-10-2012 05:47 AM

We need to have Main Site configured with Static IP address to get this scenario working, however this works fine with IOS routers by running DynDNS account on it.

Currently there is an enhancement request filed for DDNS functionality with ASA. Once this gets resolved then ASA should have simiar functionality as well.

Mentioned is the enhancement:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl46782

You may not be able to access it fully and might require to contact your SE or accounts team to see all the details.

For configuring Static to Dynamic VPN on ASA you can refer to links mentioned below:

http://tunnelsup.com/2010/05/10/dynamicdhcp-vpn-tunnel-between-two-asas/

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b3d511.shtml

For future reference, if you encounter such scenario with routers then simply setup DynDNS account on them and then you can use crypto isakkmp identity hostname command along with normal configuration to get such setup working.

Dynamic DNS support for IOS:

http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gt_ddns.html

Hope this helps.

Regards,

Anuj

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎12-10-2012 04:01 AM

That is correct. When you first initiate the VPN tunnel, only the remote site with dynamic IP can initiate the tunnel, to the main site with static IP. However, once the tunnel is established, traffic can be forwarded in both direction, so the main site can access the remote end and the remote site can access the main site.

The reason why only the dynamic site can initiate the vpn tunnel is because the main site won't know what the ip address of the remote end is, hence the dynamic end needs to establish the vpn tunnel first.

0 Helpful

Go to solution
anujsharma85
Level 1
Level 1

‎12-10-2012 05:47 AM

We need to have Main Site configured with Static IP address to get this scenario working, however this works fine with IOS routers by running DynDNS account on it.

Currently there is an enhancement request filed for DDNS functionality with ASA. Once this gets resolved then ASA should have simiar functionality as well.

Mentioned is the enhancement:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl46782

You may not be able to access it fully and might require to contact your SE or accounts team to see all the details.

For configuring Static to Dynamic VPN on ASA you can refer to links mentioned below:

http://tunnelsup.com/2010/05/10/dynamicdhcp-vpn-tunnel-between-two-asas/

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b3d511.shtml

For future reference, if you encounter such scenario with routers then simply setup DynDNS account on them and then you can use crypto isakkmp identity hostname command along with normal configuration to get such setup working.

Dynamic DNS support for IOS:

http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gt_ddns.html

Hope this helps.

Regards,

Anuj

0 Helpful

Go to solution
abdul basit
Level 1
Level 1
In response to anujsharma85

‎12-10-2012 07:54 AM

Thanks Anuj

your information is really help full

0 Helpful
Customers Also Viewed These Support Documents