Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
651
Views
0
Helpful
2
Replies

Using static- and dynamic-addressed L2L VPN tunnels

Go to solution
otaku-genghis
Level 1
Level 1

‎09-04-2008 09:12 PM

We have an ASA 5510 running 8.0 at our company HQ. We have remote sites that need to create L2L VPN tunnels to the HQ ASA. Some remote sites have static IP's and others have dynamic IP's.

I have found Cisco documentation for static-IP L2L VPN tunnels and have them working. I have found other Cisco documentation for dynamic-to-static-IP L2L VPN tunnels using the "DefaultL2LGroup" tunnel-group.

My question is, can you have both kinds of L2L tunnels on the same ASA? If so, will simply using the "DefaultL2LGroup" tunnel-group and <IP> tunnel-group definitions work? Is there a reason not to do this? Is there a better technology (ASA at HQ and a combination of ASA 5505's and 1861's at the remote sites) available?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrew.prince
Level 10
Level 10

‎09-05-2008 01:03 AM

Yes you can have both kinds of L2L tunnels. if you are using a PSK - remember the IP address of the remote site is used to "validate it" for connection to the HQ. As long as you are using a secure PSK = 64 chars and about with upper/lower alpha numeric - you should be OK.

A better way of doing it - is get static IP addresses for the site that currently have DHCP from the ISP.

HTH>

View solution in original post

0 Helpful
2 Replies 2

Go to solution
andrew.prince
Level 10
Level 10

‎09-05-2008 01:03 AM

Yes you can have both kinds of L2L tunnels. if you are using a PSK - remember the IP address of the remote site is used to "validate it" for connection to the HQ. As long as you are using a secure PSK = 64 chars and about with upper/lower alpha numeric - you should be OK.

A better way of doing it - is get static IP addresses for the site that currently have DHCP from the ISP.

HTH>

0 Helpful

Go to solution
otaku-genghis
Level 1
Level 1
In response to andrew.prince

‎09-09-2008 12:26 PM

Thank you for the reply. I configured the DefaultL2LGroup tunnel-group and successfully set up a VPN tunnel from a dynamically-addressed PIX.

Note:

1 You have to issue "show running-config all" to see the DefaultL2LGroup entries

2 There may be a problem with PIX-to-ASA VPN tunnels when the HQ ASA has multiple ISAKMP policies. Setting the remote side to the highest-numbered ISAKMP policy brought the tunnel up immediately.

0 Helpful
Customers Also Viewed These Support Documents