Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
499
Views
0
Helpful
6
Replies

VPN isr to isr with floating external addresses

mbluemel
Level 1
Level 1

‎04-07-2011 04:48 AM

I have a client who wants to connect two sites via an IPSEC vpn. Both devices are ISR's. Both ends also have dynamically assigned external IP addresses but one end also has a block of 6 routeable addresses that could be used if possible. Does anyone have a working configuration that would work in this scenario?

Labels:
0 Helpful
6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

‎04-09-2011 07:05 PM

With site-to-site VPN, typically, you will terminate the VPN on the external interface of the ISR which typically connects to the Internet and has publicly assigned ip address on its interface.

Can you please advise if both end of the ISR interface that connects to the Internet is having a static IP Address or dynamic IP Address?

Not quite sure what you mean by both end is dynamically assign but the other end has block of 6 addresses. If it's dynamically assigned, how can it have a block of 6 addresses?

0 Helpful

mbluemel
Level 1
Level 1
In response to Jennifer Halim

‎04-10-2011 12:33 AM

Bot

h ends have a dynamically assigned external addresses but one end has a block of

addresses that are routeable. The exteranl address may change but the block are always routed to it.

At the moment they have an ISA server that is on a static address.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to mbluemel

‎04-10-2011 03:57 AM

What you can do is on the site where you have 6 routable ip address, please assign one of them to the router loopback interface, and you can use

the loopback interface to terminate the VPN tunnel.

This will make static to dynamic site-to-site VPN tunnel. The site with the dynamic ip address needs to initiate the connection.

Here is a sample configuration for your reference:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

(You can ignore the vpn client section if you don't want to configure vpn client)

On the static site where you have configure the loopback, you also need to add the following to source the crypto from that loopback interface:

crypto map local-address

Here is the command for your reference:

http://www.cisco.com/en/US/partner/docs/ios/12_3/security/command/reference/sec_c2g.html#wp1073947

0 Helpful

mbluemel
Level 1
Level 1
In response to Jennifer Halim

‎04-12-2011 02:15 AM

Thanks for your help.

I have tried this configuration but cannot get the site to site vpn working.

The vpn client works so thats a help anyway.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to mbluemel

‎04-14-2011 01:38 AM

Great, if the vpn client works, the L2L tunnel should work too.

Since the other side is dynamic, you would need to configure dynamic to static L2L tunnel, and traffic to be initiated from the dynamic end towards the static ends.

0 Helpful

mbluemel
Level 1
Level 1
In response to Jennifer Halim

‎04-14-2011 02:27 AM

The strange thing is the other end with a dynamic address does not seem to even try to initiate a connection. At the moment as there are only three users they are using the vpn client connection. I will be looking deeper into it over the next week or so. Thanks for all your help.

0 Helpful
Customers Also Viewed These Support Documents