Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1403
Views
0
Helpful
6
Replies

VPN with Dynamic IP

cisco.plus
Level 1
Level 1

‎10-28-2011 06:55 AM

Hi

I got One HQ and 3 Remote Offices ; all branches would need to access application,Email from HQ.

At HQ I got 3845 VPN Server ; 2MB Internet Link with  2 Public IP

AT Branch #1 I got 2801 Router ; 1MB Internet link with 2 Public IP

At Branch #2 I got 887 DSL Router ; 4MB DSL Internet with Dynamic Public Ip

At Branch #3 I got ASA 5510 ; 1MB DSL Internet with 2 Public IP

Site to Site VPN between HQ and Branch# 1 is working ok. What configuration I need on HQ and Branch #2 to setup the VPN

HQ Subnets

192.168.150.0 255.255.255.0 - Users

192.168.151.0 255.255.255.0 - Application Server

192.168.152.0 255.255.255.0 - Windows Server

192.168.153.0 255.255.255.0 - Linux Server

Branch#1 Subnet

192.168.200.0 255.255.255.0 - Users

Branch#2 subnet

192.168.203.0 255.255.255.0 - Users

Branch#3 Subnets

192.168.206.0 255.255.255.0 - Users

HQ_VPN_Configuration

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

crypto isakmp key 123456 address 5.5.5.5

crypto ipsec transform-set VPN_Con_BR1 esp-3des esp-md5-hmac

crypto map VPN 10 ipsec-isakmp

set peer 5.5.5.5

set transform-set VPN_Con_BR1

match address BR1

Interface tunnel 15

description GRE_Tunel_to_BR1

ip address 10.100.200.1 255.255.255.252

Tunnel source 10.10.12.2

Tunnel destination 172.16.32.2

Interface GigabitEthernet0/0

Description "Connected to BackBone"

ip address 10.10.12.2 255.255.255.248

Interface GigabitEthernet0/1

Description "Public IP Interface"

ip address 1.1.1.1 255.255.255.252

no ip redirect

crypto map VPN

Router ospf 2

network 10.10.12.2 0.0.0.0 area 0

network 10.100.200.1 0.0.0.0 area 0

ip router 0.0.0.0 0.0.0.0 1.1.1.1

ip access-list extended BR1

permit gre host 1.1.1.1 host 5.5.5.5

Labels:
0 Helpful
6 Replies 6

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-28-2011 08:12 AM

What I would suggest is a bit of redesign.

Use DMVPN for IOS routers (or DVTI-SVTI) and a dynamic L2L for ASA.

0 Helpful

cisco.plus
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-28-2011 08:19 AM

thanks for your suggestion. For now we need to continue with site to site vpn.

0 Helpful

cisco.plus
Level 1
Level 1
In response to cisco.plus

‎10-28-2011 08:35 AM

Looking for support on configuring HQ Router for VPN with Dynamic IP on remote end

I managed to built up Branch#2 configuration

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key 123456 address 1.1.1.1

crypto isakmp keepalive 300

crypto ipsec transform-set VPN esp-des esp-md5-hmac

!

crypto map vpn 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set VPN

match address 115

interface Ethernet0

ip address 192.168.203 255.255.255.0

ip nat inside

interface ATM0

bandwidth 4160

no ip address

load-interval 30

no atm ilmi-keepalive

dsl operating-mode auto

pvc 0/50

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

interface Dialer0

bandwidth 4160

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

no ip mroute-cache

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap callin

ppp chap refuse

ppp pap sent-username ABCD password 7 ABCD

ppp ipcp address accept

crypto map VPN

!

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

no ip http secure-server

!

ip nat inside source list 100 interface Dialer0 overload

access-list 100 deny   ip 192.168.203.0 0.0.0.255 192.168.151.0 0.0.0.255

access-list 100 deny   ip 192.168.203.0 0.0.0.255 192.168.152.0 0.0.0.255

access-list 100 deny   ip 192.168.203.0 0.0.0.255 192.168.153.0 0.0.0.255

access-list 115 Permit ip 192.168.203.0 0.0.0.255 192.168.151.0 0.0.0.255

access-list 115 Permit ip 192.168.203.0 0.0.0.255 192.168.152.0 0.0.0.255

access-list 115 Permit ip 192.168.203.0 0.0.0.255 192.168.153.0 0.0.0.255

dialer-list 1 protocol ip permit

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to cisco.plus

‎10-28-2011 09:19 AM

What is the exactly problem you're facing?

Terminating dynamic peers on (dynamic) crypto map has been done numerous times.

Starting from the most basic:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

or here:

https://supportforums.cisco.com/docs/DOC-4132

and here:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00807be6bc.shtml

0 Helpful

cisco.plus
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-28-2011 09:37 AM

Hi

At HQ VPN Router do I have to create seperate ISAKMP Policy for establishing VPN with DYNAMIC IP. What about encryption support for VPN on 887.What about group No, does it needs to be same on both ends.  My concern is only HQ Router configuration for Dynamic VPN Peer. Was searching for a cisco link to look for VPN Router Sample config having L2L static and Dynamic Peer on the same Router.

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to cisco.plus

‎10-28-2011 10:39 AM

on HQ side all you need is more crypto map entries (or in your case one enrty for all dynamic L2L).

You can share same ISAMP policies everywhere (note that ASA is using DH group 2 by default).

On every peer expert for HQ you have to build static L2L configuration, only difference is on HQ side where you have a few configuration examples I pasted before.

0 Helpful
Customers Also Viewed These Support Documents